Colt Online portal and Voice API platform remain offline
London-headquartered telecommunications and network services provider Colt Technology Services is grappling with recovery efforts following a significant ransomware attack.
The incident, which disrupted various customer-facing systems, was claimed by the Warlock ransomware gang and is believed to have resulted from exploitation of a Microsoft SharePoint vulnerability.
The attack began on Tuesday, 12th August 2025, at approximately 11:00 AM BST, initially appearing as a technical issue as customers reported interruptions in service.
By Thursday, 14th August, Colt confirmed it was responding to a cyber incident affecting its internal systems, specifically disrupting the Colt Online support services and Voice API platforms.
The company stated that the affected systems are separate from customer infrastructure but took proactive protective measures, including taking these systems offline to safeguard customers, employees and the business.
Colt has apologised for the disruption, saying it is working around the clock to restore services.
Customers are advised to reach out via email or phone, though longer response times may occur due to the circumstances.
As of the latest updates, the Colt Online portal and Voice API platform remain offline as restoration is underway.
Colt security teams continue to investigate the incident, collaborate with third-party cybersecurity experts, and work closely with authorities to manage the ongoing situation.
The firm says it remains focused on restoring its systems securely and preventing any further impact on customers and business operations.
Founded in 1992 as City of London Telecommunications (COLT) and later rebranded, the company has grown substantially with a presence in 40 countries and 230 cities, servicing over 32,000 buildings across Europe, Asia, and North America.
Since going private in 2015 under Fidelity Investments and the recent $1.8 billion acquisition of Lumen EMEA in 2023, Colt has expanded its customer base significantly.
Warlock claims responsibility
As reported by Bleeping Computer, Warlock ransomware gang has claimed responsibility for the breach, posting details of their intrusion on dark web leak sites.
A hacker using the handle ‘cnkjasdfgd’ asserted that over one million documents were stolen, including employee, customer, financial data, and information on Colt’s network architecture and software development.
The gang is reportedly demanding a ransom of $200,000 (about £147,500) for the stolen data.
Security researcher Kevin Beaumont noted that the attack may have exploited a recently patched security feature bypass vulnerability in Microsoft SharePoint Server (CVE-2025-53770).
This flaw allows attackers to steal cryptographic keys from unpatched servers, enabling remote code execution through malicious requests.
The vulnerability is part of an exploit chain known as ToolShell, which has been linked to Chinese state-backed threat actors and reportedly has caught the interest of the Warlock gang.
The Warlock group, which first emerged in June, has quickly gained notoriety.
In its launch advertisement on a Russian cybercrime forum titled “If you want a Lamborghini, please call me,” the gang pitched itself as a high-profile ransomware actor.
Since then, it has been linked to around 11 confirmed cyberattacks and has claimed responsibility for 19 more, targeting organisations across government, finance, manufacturing and technology sectors.
