U.K. telecoms giant Colt has been hit by a ransomware attack claimed by the Warlock gang, affecting some of its business support systems that remain offline as a matter of precaution following the cyber incident. Around the same time, Australia’s TPG-owned telecoms company iiNet was the target of a third-party data breach after attackers gained access through stolen employee credentials. The incident has affected 280,000 people, including the exposure of 10,000 personal phone numbers and home addresses, as well as 1,700 modem passwords.
As a telecoms provider that falls under the Security of Critical Infrastructure Act, this breach underscores the growing and persistent threat facing critical national infrastructure worldwide.
“We’re continuing to work tirelessly to restore the internal systems affected by the recent cyber incident,” Colt said in its latest update. “We understand how frustrating it is not to have access to some of our support services, such as Colt Online and our Voice API platform, and we appreciate your patience and understanding.”
The company has previously said that “We have the capability of monitoring our customers’ networks, and we continue to manage network incidents efficiently, but we’re working in a more manual way than normal. We’re working hard to get our automated monitoring capability fully restored.”
At the time of identifying the incident, Colt said it had “detected the cyber incident on an internal system. This system is separate from our customers’ infrastructure. We took immediate protective measures to ensure the security of our customers, colleagues, and business, and we proactively notified the relevant authorities.”
It added that “one of our protective measures involved us proactively taking some systems offline, which has led to the disruption of some of the support services we provide to our customers. Our technical team is focused on restoring the affected systems and is working closely with third-party cyber experts.”
In Australia, iiNet has been impacted by a cyber incident involving unauthorised access to its order management system by an unknown third party.
“The iiNet ordering system is used to create and track orders for iiNet services, such as NBN connections,” the company detailed in an update on the cyber incident. “The system contains limited personal information. Importantly, it does not contain copies or details of customer identity document details (such as passport or driver’s licences), credit card or banking information.”
Upon confirmation of this incident on Saturday, Aug. 16, iiNet enacted its incident response plan, began work to ensure the security of the system, and to determine what occurred. “We have engaged external IT and cyber security experts to assist with our investigation. We are making direct contact with affected customers to apologise and inform them of this incident, and to provide support and guidance on what to do next.”
The company is also liaising with the Australian Cyber Security Centre (ACSC), the National Office of Cyber Security (NOCS), the Office of the Australian Information Commissioner (OAIC), and other relevant authorities in response to this incident.
iiNet urges customers to remain vigilant, especially to any suspicious communications received via email, text, or phone call. It called upon individuals to remain alert to any unusual communications that claim to be from iiNet. Passwords for online accounts should be reset if the same credentials were used in connection with this incident. Strong and unique passwords are recommended for all accounts, including those linked to financial services, and should be updated regularly.
Additionally, multi-factor authentication should be enabled wherever possible, particularly for email, banking, and social media accounts. Caution is advised with emails or phone calls that request personal information or passwords. Personal information should not be shared unless the recipient’s identity is certain. Devices used to access online accounts should have up-to-date anti-virus software installed.
Commenting on the Colt attack, Darren Williams, founder and CEO of BlackFog, wrote in an emailed statement that “With reports of stolen data being put up for sale, this is the kind of incident every organisation dreads. The claims come from an apparently financially motivated emerging group, with government and education sectors already in its sights. This also highlights how service providers are on the frontline of cyber attacks. Operators face intense pressure not only to maintain service continuity but also to safeguard sensitive data, making them especially attractive targets in the eyes of cybercriminals.”
He added that with data exfiltration now the attackers’ tactic of choice, “the balance of power shifts the moment information begins leaving an organisation. Addressing this threat requires a particular focus on detecting suspicious activity and stopping data exfiltration before it happens.”
“iiNet is the latest Australian critical infrastructure operator to be breached via a third-party using compromised employee access credentials likely purchased off the dark web,” Tony Jarvis, field CISO and vice president for the APJ region at Darktrace, wrote in an emailed statement. “Credentials-based attacks are not new, nor are they particularly sophisticated. And while insidious and pervasive, they are preventable. Enterprise cybersecurity 101 says access credentials must be routinely updated with strong, unique passwords and MFA enabled.”
Jarvis added that Australian organizations must heed these third-party attacks as a call to action. “Cybercriminals are using AI to automate attacks, and only AI-augmented cybersecurity can defend against it. Investing in stronger visibility over, and insights into, third-party providers’ cyber posture must be a business priority.”
The ransomware and data theft incidents in the U.K. and Australia affecting the telecom sector come as Norway’s Police Security Service (PST) confirmed that pro-Russian hackers seized control of a dam in Bremanger, western Norway, in April, opening a floodgate and letting water flow undetected for four hours. PST described the breach as a deliberate show of Moscow’s ability to remotely compromise critical infrastructure.
Polish officials also revealed that a cyberattack nearly shut down the water supply to a major city last week.
The attempt was thwarted, Deputy Prime Minister Krzysztof Gawkowski said, without naming the attackers or the city that was targeted. “At the last moment, we managed to see to it that when the attack began, our services had found out about it and we shut everything down,” Gawkowski said. “We managed to prevent the attack.”
