Colt Technology Services is experiencing a “cyber incident” that has forced the company to shut down some services temporarily.
On August 14, the London-based telecommunications giant publicly confirmed that an internal system was breached.
Although this system was disconnected from its customer-facing infrastructure, the company has taken some systems offline in respond to the incident.
This action has resulted in the disruption of some of the support services including hosting and porting services, Colt Online and Voice API platforms. Both are still unavailable for customers at the time of writing.
Customers have been advised to contact the company via email orphone if they need to get in touch.
Warlock Ransomware Gang Claims Attack
Ransomware monitoring platforms Ransomware.live and RansomLook detected that the Warlock ransomware group claimed responsibility for the breach on August 16.
At the time of the incident, a user of the RAMP hacker forum, who claimed to be claimed to be affiliated with Warlock, posted that they were selling “one million stolen documents” from Colt for $200,000.
The data included what they describe as financial records, employee and customer data, executive communications, internal emails and proprietary software development files.
To substantiate the claim, the threat actor has released a 400,000-file sample of data as proof of the breach’s legitimacy. According to security researcher Kevin Beaumont, it appears that the filenames included in the sample are from real Colt-related files.
Exploited SharePoint Flaw May Have Led to Breach
The breach may have originated from activity which targeted the company’s SharePoint servers in order to exploit CVE-2025-53770, one of the two vulnerabilities involved in the ‘ToolShell’ exploit chain, Beaumont has suggested in his analysis shared on social media.
Beaumont’s analysis of Shodan scan data found that IP addresses linked to cybercriminal operations were observed probing Colt’s systems before the attack.
He further noted that Colt’s SharePoint servers were abruptly taken offline, with evidence pointing to possible webshell implants, a common tactic for maintaining unauthorized access.
Public records also indicated that Colt rushed to implement firewall protections for its EU infrastructure on the same day it first disclosed technical disruptions, he added.
Photo credit:aileenchik / Shutterstock.com
Listen now: ToolShell Deep Dive –The SharePoint Exploit Crisis Uncovered