Kevin BeaumontPour one out for Colt.
Colt disappeared yesterday, their status page says "technical issue"
Their customer portal is also MIA: https://online.colt.net
Colt are dealing with what appears to be an undisclosed cyber incident. They firewalled their inbound EU infrastructure on the 12th - org:”COLT EU INFRASTRUCTURE” on Shodan.
Colt had ecrime IP addresses talking to a bunch of their Microsoft SharePoint servers (now offline), which also appeared to have webshells on them.
Colt's also started isolating some systems on COLT Technology Services Group Limited ASN (or they've otherwise lost 'em).
Colt have finally confirmed an ongoing cyber incident, after several days of pretending it was a technical issue to customers.
Btw although everything is written in the past tense, the customer facing systems (which include data on customers - eg Colt Online) are still offline now and the incident is very definitely still ongoing.
bash0raColt are being extorted by Warlock ransomware group, they have been for over a week, Colt are trying to cover it up.
Entry likely via sharehelp.colt.net via CVE-2025-53770 as they were interacting with it.
They've stolen a few hundred gig of customer data and documentation and posted a file list on a forum.
Here's Bleeping Computer on the Colt thing: https://www.bleepingcomputer.com/news/security/colt-telecom-attack-claimed-by-warlock-ransomware-data-up-for-sale/
Colt Telecom attack claimed by WarLock ransomware, data up for sale
UK-based telecommunications company Colt Technology Services is dealing with a cyberattack that has caused a multi-day outage of some of the company's operations, including hosting and porting services, Colt Online and Voice API platforms.
There's apparently a mirror of the Colt file name tree here, for any orgs looking to establish their risk. https://mastodon.social/@casaundra/115033551022266815
There’s another plain text mirror here: https://www.klos.com/~john/colt_filename_tree.txt
Colt Technology Services are up on the Warlock ransomware group portal.
List of 400k files they have stolen: https://www.klos.com/~john/colt_filename_tree.txt
I’ve authenticated the filenames are real, eg they include customer documentation and performance reviews of Colt staff.
Colt also appears in Warlock's FAQ page, it's an echo of their RAMP forum post with a minor change ("Regarding data disclosure, we will selectively disclose certain data.")
My view is Colt shouldn't pay. It is directly funding organised crime - even if paid for via insurance/legal agents - and increases the risk to everybody else.
Warlock ransomware/extortion group have moved Colt full data unlock time to a week away, and said data auction is in progress.
Colt have setup a cyber incident page, set to noindex so Google etc can’t find it, detailing their incident.
https://www.colt.net/go/cyber-incident/
Confirms for first time customer documentation stolen and some scope of systems still offline.
The status updates on Colt's website describing a "technical issue" have been removed, replacing it with always being a cyber incident.
Left - internet archive - https://web.archive.org/web/20250814102113/https://www.colt.net/status/
Right - now https://www.colt.net/status/#updates
Colt are now 10 days into their cyber incident (ransomware), systems are still offline.
I've written about the Colt Technology Services ransomware incident, with a focus on learnings for other organisations.
Guest appearance by @leakix for finding the webshell at Colt.
Colt are now 15 days into their cyber incident, the same systems are still offline.
Colt’s status page has been revised, removing most of the prior updates, with a new bolded statement around customer systems. https://www.colt.net/status/
The separate cyber incident page, detailing what happened, isn’t linked anywhere on their website and is set to noindex: https://www.colt.net/go/cyber-incident/
By repeatedly linking the Colt cyber incident page, I have got it into a Google search for Colt cyber incident though - the content is just hidden from search. https://www.colt.net/go/cyber-incident/
We really should be over the point of companies trying to hide their cyber incidents, it’s race to the bottom stuff.
A net side effect of Colt using noindex, btw, is my blog is the top Google hit with a description - it has 5k clicks yesterday from Google - and contains this email.
It’s pretty much a textbook example of Colt’s comms strategy hurting their business.
If anybody is wondering, Warlock not publishing Colt Technology Services data is intentional, just asked them. Presumably they are negotiating with the victim org.
Colt are now on day 20 of their ransomware incident. Same services still down. In the replies here multiple people have also suggested number portability is also down, so telco customers cannot leave.
Interpipes 💙 (@[email protected])
@[email protected] Colt is still paralysed, all install activities still at stop. "Maybe" some news at the end of this week. Maybe.
Microsoft are one of the many orgs caught up in the Colt ransomware incident. They haven't told customers for whatever reason, there's nothing in the O365 status portal for it.
If you use Teams with a purchased phone number... try not to have a problem 🤣 HT @cwatu
Colt have updated their cyber incident page to say they are having problems billing customers and issuing invoices.
However they may still apply late payment charges (good luck with that btw).
Colt are now on day 24 of their ransomware incident, same systems still down. I've heard from many people now that Colt are downplaying the seriousness of their situation and that they've effectively lost their back office IT.
Colt are on day 28 of their ransomware incident.
They’ve updated their cyber incident page, which isn’t linked on their website anywhere and is set to not index on search engines, to say they are committed to transparency.
They’ve entered the recovery phase, where they are rebuilding systems.
James Tinmouth@GossiTheDog they do appear to say they'll apply late payment charges IF they manage to invoice correctly.
Thx for your reporting on this BTW 👍
Dr. Christopher Kunz@GossiTheDog Do you have any indication that this outage also affects non-UK Colt customers?
A@GossiTheDog my MS teams phone number (bought from MS, not a port in) is a Colt number, this is what it shows when creating a new ticket with teams pstn support. No health advisory in MS admin centre.
fuzzyfuzzyfungus@cwatu @GossiTheDog That seems like it has no business not being a health advisory. I can see why MS might not want to deliver a "the cloud is just someone else's computer that isn't working right now" message; but if it's your vendor or your contractor it is your service. This isn't some customer-can't-reach-our-endpoints-that-are-definitely-up issue.
Jernej Simončič �@cwatu @GossiTheDog Is this also why you can't add a phone number to a MS account right now (at least in Europe)?
@jernej__s @cwatu @GossiTheDog
MS takes numbers from Colt?
🐦🔥nemo™🐦⬛ 🇺🇦🍉@GossiTheDog Thats colt man
Interpipes 💙@GossiTheDog Colt is still paralysed, all install activities still at stop. "Maybe" some news at the end of this week. Maybe.
darkglade.bsky.socialThanks for that :)
bomberfish@GossiTheDog google bombing is still alive and well?
Oriel Jutty 
@GossiTheDog Image description: Screenshot of the Colt status page saying:
"Network Incidents
LATEST
26th August 2025
Thank you for your patience while some support services, including Colt Online and our Voice API platform, remain temporarily unavailable.
This is part of our response to a recent cyber incident.
The incident was detected on an internal system that is completely separate from our customers’ infrastructure. No customer systems were affected.
Our teams continue to work closely with cyber experts to restore services as quickly as possible.
We very much appreciate your continued support and patience."
Pontiff Fractal Tiam@GossiTheDog out of curiosity: how did you discover the page?
vampirdaddy@GossiTheDog
I had to look up which one:
affected is Colt Technology Services (network provider),
not Colt Defense (the revolver company)
@GossiTheDog That's retconning on a George Lucas level. "Somehow, the cyber incident returned."
@GossiTheDog Do you by chance know anyone over at MSFT that works in the partner program? lol
Josh Soref
Brian Clark@GossiTheDog I’m worried that they got documentation on their customer network and router configurations. That could open up a lot of new attack paths.
@GossiTheDog they've forgotten to mention that they still can't port numbers in or out.
@GossiTheDog as for "contact us by phone" hold times have been - for those unlucky souls to have a fault and the patience to try and phone it through - in excess of an hour.
MrCopilot@GossiTheDog Was momentarily afraid they did not understand my concern.
I feel better now.
I feel better now.
@GossiTheDog “yes hello I would like to send $200,000 to some terrorists please”
Quentyn@GossiTheDog there are potentially a lot of passwords that need changing too
Royce Williams@GossiTheDog Since it's just the tree, if someone could snapshot it safetly and put a text-only version of it somewhere (like a GitHub gist), folks would probably appreciate that
Jörg Volbers@tychotithonus @GossiTheDog i am not a security guy, so I am wondering why is the file tree important?
Often, the filenames contain important metadata (which companies' data, what kind of data, etc.)
Bitslingers-R-Us@GossiTheDog "file.kiwi" is up to 7000%. Is this maths like how someone is going to bring drug prices down by > 1000%? I'm genuinely curious why people would use services like "file.kiwi" that clearly don't work.
Enjoy:
https://www.klos.com/~john/colt_filename_tree.txt
Enjoy:
https://www.klos.com/~john/colt_filename_tree.txt
@AnachronistJohn @GossiTheDog thanks, this works!
@GossiTheDog that service may be overwhelmed at the moment. Download doesn’t seem to be happening
@GossiTheDog yeah, I mean, even we appear in here, but it seems to be just the one file with our name in it and it is presumably the output from some field testing for a fault
@GossiTheDog You can tell which ransomware groups Crowdstrike operates by what companies are running that get compromised ;)
VessOnSecurity@GossiTheDog Apparently, Colt's slogan was missing some punctuation... That is, instead of
colt
Secure your network from cyber
threats and security incidents
it should have been
Colt, secure your network from cyber threats and security incidents!
Sentry23@GossiTheDog any mirror for the filebin txt?
Pedro@Sentry23 @GossiTheDog If you go the .zip option, it will allow you to download the file list.
@pedro @GossiTheDog Ah, I overlooked that one, Thanks!
@GossiTheDog this is useful. Thanks for sharing.
SpiderHat@GossiTheDog Argh, I was to late for the filebin. Anyone willing to share or at least provide some info regarding the contents and if the claims are legit?
@Sp1derH4t @GossiTheDog there is mirror of Colt file tree https://file.kiwi/62f9327f#0OTL_nd4fccyLT_BUwIfhg
M Schommer@GossiTheDog
Oh, THAT COLT, the telecom, not the gun manufacturer.
Oh, THAT COLT, the telecom, not the gun manufacturer.
Fafner [_KeyZee_]@GossiTheDog any link to an official annoucement ? Or claim for WL ?
@GossiTheDog officially on WarLock DLS: https://social.circl.lu/@Ransomlook/115037257703425454
RansomLook (@[email protected])
New post from #Warlock : Colt.Net More at : https://www.ransomlook.io/group/Warlock #Ransomware