A cyber attack has caused widespread multi-day service disruption at the British telecommunications service provider Colt Telecom.
City of London Telecommunications (COLT) has offices in over 30 countries across North America, Europe, and Asia. It manages nearly 1,000 data centers and roughly 75,000 km of fiber infrastructure.
On August 14, 2025, the telecom giant said it had detected a cyber attack that began two days earlier, on August 12. Upon learning of the cyber intrusion, the telecommunications service provider responded by proactively taking some systems offline to contain the cyber attack.
Cyber attack causes Colt Telecom service disruption
Although Colt Telecom’s cyber incident response team was working around the clock to mitigate the impacts of the cyber attack, service disruption has persisted for days.
However, the service disruption did not affect the company’s core network infrastructure, suggesting that Colt customers could still access its network services.
The telecommunications giant also said that it could still monitor its customers’ network, although it was forced to work manually more than usual.
“There’s this operational ripple effect when you’re a service provider and support-layer services go down,” assessed Gabrielle Hempel, Security Operations Strategist at Exabeam. “Even though Colt claims its ‘core network infrastructure’ is still intact, the outage of hosting, porting, and API services still disrupts customer trust and downstream operations.”
Meanwhile, Colt Telecom advised its customers to use email or phone to contact customer support to minimize the impact of the cyber attack. However, it warned customers that they could experience slow responses.
The company also did not provide a clear timeline for resolving the service disruption. A week after the apparent ransomware attack, Colt Online and the Voice API platform remained unavailable.
Meanwhile, Colt has not disclosed the threat actor’s identity, but has reported the cyber attack to the relevant authorities.
Colt has also not disclosed if the attacker stole any customer data, the number of potentially impacted individuals, or whether it received any ransom demands. The British telecom giant has also not stated whether the service disruption resulted from a ransomware attack.
However, Evan Powell, CEO at DeepTempo, warned that “service providers have an immense challenge” as “they are attractive targets” for cybercriminals.
“They can be used for surveillance and to penetrate user environments by attackers – so they themselves are perhaps the most attractive attack vector to attackers,” Powell added. “And service providers are responsible for keeping a network safe that has systems on it that they do not control – i.e. their own customer’s systems.”
He predicted “many more successful attacks” on service providers, “until they and their vendors deploy truly ‘proactive’ defenses, based upon the ability to actually see when they are being attacked.”
WarLock ransomware gang claims responsibility for the Colt Telecom cyber attack
Meanwhile, the threat group WarLock has claimed responsibility for the Colt Telecom cyber attack that caused widespread service disruption.
WarLock alleges to have stolen the company’s employee, customer, executive, and financial data, internal emails, and software development information.
While Colt Telecom has yet to verify the validity of these claims, the threat actor leaked data samples to prove that they had obtained access to the allegedly stolen details.
“With reports of stolen data being put up for sale, this is the kind of incident every organization dreads,” noted Dr. Darren Williams, Founder and CEO of BlackFog. “The claims come from an apparently financially motivated emerging group, with government and education sectors already in its sights.”
“With data exfiltration now the attackers’ tactic of choice, the balance of power shifts the moment information begins leaving an organization. Addressing this threat requires a particular focus on detecting suspicious activity and stopping data exfiltration before it happens,” noted Williams.
Neither Colt nor the threat actor disclosed the vector exploited during the cyber attack. However, independent threat hunter and former Microsoft Senior Threat Intelligence Analyst Kevin Beaumont claims that the cyber attack exploited the ToolShell SharePoint vulnerability CVE-2025-53770.
Beaumont added that the attackers managed to steal hundreds of gigabytes of data by exploiting the remote code execution vulnerability. He also authenticated the stolen files, saying they include customer documentation and staff performance reviews.
On July 19, 2025, Microsoft released emergency security updates for SharePoint ToolShell vulnerabilities CVE-2025-53770 and CVE-2025-53771, followed by a full rollout after July 21.
However, tens of thousands of vulnerable SharePoint instances are still exposed online without the recommended security fixes.
“A SharePoint RCE or something of similar severity needs to be measured in hours, not weeks, for externally accessible systems,” added Hempel. “For critical infrastructure providers, RCE patch pipelines need to be prioritized and automated wherever possible for internet-facing services.”
