In a recent statement, Colt Technology Services, a prominent British multinational telecommunications company, disclosed that it is grappling with significant disruptions due to a cyber incident. The company’s customer portal and support services have been down for several days, with the initial issues detected in the week of August 12. Colt assured its clients that the compromised internal system is distinct from their customers’ infrastructure, but several services, including Colt Online and the Voice API platform, remain inaccessible.

The WarLock ransomware group has claimed responsibility for the attack, boasting that they have exfiltrated “1 million documents” from Colt. These documents reportedly contain sensitive information such as employee salaries, customer contact details, executive personal information, and emails. The group has brazenly offered this stolen data for sale on its dark web leak site for $200,000. A hacker identified as “cnkjasdfgd,” purportedly a member of WarLock, echoed these claims on a well-known criminal forum, which was later reported by Bleeping Computer.

In response, Colt has taken proactive measures, shutting down some services to mitigate further damage. The telecommunications giant has mobilized its technical team in collaboration with third-party cybersecurity experts to restore the compromised systems. Despite the setback, Colt maintains its capability to monitor customer networks and manage incidents, albeit through manual processes until their automated systems are back online. The company operates an extensive network spanning over 50 metropolitan areas across Europe, Asia, and North America.

Cybersecurity expert Kevin Beaumont has reviewed a list of 400,000 files alleged to have been stolen, confirming that the filenames indeed correspond to genuine customer documentation and Colt staff performance reviews. Beaumont suspects that the hackers exploited vulnerabilities in on-premise Microsoft SharePoint systems, a flaw known as ToolShell. This suspicion aligns with Microsoft’s previous warnings in July about a threat actor, Storm-2603, exploiting these vulnerabilities to deploy WarLock ransomware.

Furthermore, Beaumont pointed out that Colt’s exposure of the domain sharehelp.colt.net to the internet may have facilitated the hackers’ entry, emphasizing the need for robust security measures. As the investigation continues, Colt Technology Services is working diligently to resolve the issue and reinforce its defenses against such cyber threats in the future.