UK-based telecommunications giant Colt Technology Services has confirmed that customer data was compromised in a sophisticated ransomware attack orchestrated by the Warlock cybercriminal group.
The incident, which began on August 12, 2025, has resulted in significant service disruptions and raised serious concerns about data security in the telecommunications sector.
The attack leveraged critical vulnerabilities in Microsoft SharePoint Server, specifically exploiting the CVE-2025-53770 vulnerability.
Security researchers identified that Warlock affiliates used this SharePoint authentication bypass to rapidly gain elevated privileges and move laterally within Colt’s network.
The vulnerability has been particularly devastating due to its ability to provide persistent access through cryptographic machine key theft.
By compromising SharePoint’s ValidationKey and DecryptionKey, attackers can forge authentication tokens and maintain access even after standard mitigation efforts like server reboots.
This sophisticated approach demonstrates the advanced capabilities of the Warlock group, which has been attributed to Chinese threat actors known as Storm-2603.
Colt’s investigation revealed that the threat actors accessed approximately one million documents containing highly sensitive information.
This zero-day vulnerability, dubbed “ToolShell,” allows unauthenticated attackers to achieve remote code execution through improper deserialization of untrusted data.
The stolen files reportedly include employee salary data, financial information, customer contracts, personal details of executives and staff, network architecture designs, and software development files.
Operational Impact and Service Disruptions
The cyberattack forced Colt to proactively take multiple business support systems offline as a protective measure, resulting in widespread service disruptions.
Critical customer-facing services remain unavailable, including the Colt Online customer portal, Number Hosting APIs, and the Colt On Demand network-as-a-service platform. The company’s Voice API platform has also been offline since the attack began.
The ransomware group is now attempting to auction this data for $200,000 on the Ramp cybercrime forum.
Colt’s automated monitoring capabilities and customer-focused processes have been significantly impacted, forcing the company to operate in a more manual capacity than normal.
This has created substantial delays in responding to customer inquiries and fulfilling service requests. The telecommunications provider, which operates across 30 countries and connects 900 data centers through 75,000 kilometers of fiber networks, continues to work around the clock to restore full functionality without providing a specific timeline for complete recovery.
The company emphasized that the compromised systems are business support infrastructure, strictly separated from customer network infrastructure, ensuring that authentication systems are not shared between environments.
However, the distinction provides little comfort given the extensive nature of the data breach and the ongoing service disruptions affecting customers across Europe, Asia, and North America.
Industry-Wide Ransomware Escalation
This attack represents part of a broader surge in ransomware targeting telecommunications infrastructure throughout 2025.
The Warlock group has emerged as a particularly aggressive threat actor, claiming 22 new victims since mid-August 2025, including other major telecommunications providers like Orange.
The group’s rapid expansion demonstrates the effectiveness of their SharePoint exploitation techniques and their ability to monetize stolen data through underground marketplaces.
Colt’s incident highlighted the telecommunications sector’s vulnerability to sophisticated nation-state and criminal ransomware operations.
The company has engaged specialist third-party investigation, forensic, and cyber security experts while working closely with law enforcement agencies and regulatory authorities.
Despite these efforts, the attack underscores the critical need for enhanced cybersecurity measures across the telecommunications industry, particularly given the sector’s role in supporting critical infrastructure and sensitive customer communications worldwide.
The Warlock group’s use of zero-day vulnerabilities and advanced persistence mechanisms positions them as a significant threat in the current ransomware landscape.
Their focus on high-value targets in government and enterprise sectors, combined with double-extortion tactics involving both encryption and data theft, represents an evolution in ransomware operations that demands immediate attention from cybersecurity professionals and industry stakeholders.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
