Kevin BeaumontPour one out for Colt.
Colt disappeared yesterday, their status page says "technical issue"
Their customer portal is also MIA: https://online.colt.net
Colt are dealing with what appears to be an undisclosed cyber incident. They firewalled their inbound EU infrastructure on the 12th - org:”COLT EU INFRASTRUCTURE” on Shodan.
Colt had ecrime IP addresses talking to a bunch of their Microsoft SharePoint servers (now offline), which also appeared to have webshells on them.
Colt's also started isolating some systems on COLT Technology Services Group Limited ASN (or they've otherwise lost 'em).
Colt have finally confirmed an ongoing cyber incident, after several days of pretending it was a technical issue to customers.
Btw although everything is written in the past tense, the customer facing systems (which include data on customers - eg Colt Online) are still offline now and the incident is very definitely still ongoing.
Colt are being extorted by Warlock ransomware group, they have been for over a week, Colt are trying to cover it up.
Entry likely via sharehelp.colt.net via CVE-2025-53770 as they were interacting with it.
They've stolen a few hundred gig of customer data and documentation and posted a file list on a forum.
Here's Bleeping Computer on the Colt thing: https://www.bleepingcomputer.com/news/security/colt-telecom-attack-claimed-by-warlock-ransomware-data-up-for-sale/
Colt Telecom attack claimed by WarLock ransomware, data up for sale
UK-based telecommunications company Colt Technology Services is dealing with a cyberattack that has caused a multi-day outage of some of the company's operations, including hosting and porting services, Colt Online and Voice API platforms.
There's apparently a mirror of the Colt file name tree here, for any orgs looking to establish their risk. https://mastodon.social/@casaundra/115033551022266815
There’s another plain text mirror here: https://www.klos.com/~john/colt_filename_tree.txt
Colt Technology Services are up on the Warlock ransomware group portal.
List of 400k files they have stolen: https://www.klos.com/~john/colt_filename_tree.txt
I’ve authenticated the filenames are real, eg they include customer documentation and performance reviews of Colt staff.
Colt also appears in Warlock's FAQ page, it's an echo of their RAMP forum post with a minor change ("Regarding data disclosure, we will selectively disclose certain data.")
My view is Colt shouldn't pay. It is directly funding organised crime - even if paid for via insurance/legal agents - and increases the risk to everybody else.
Warlock ransomware/extortion group have moved Colt full data unlock time to a week away, and said data auction is in progress.
Colt have setup a cyber incident page, set to noindex so Google etc can’t find it, detailing their incident.
https://www.colt.net/go/cyber-incident/
Confirms for first time customer documentation stolen and some scope of systems still offline.
The status updates on Colt's website describing a "technical issue" have been removed, replacing it with always being a cyber incident.
Left - internet archive - https://web.archive.org/web/20250814102113/https://www.colt.net/status/
Right - now https://www.colt.net/status/#updates
Colt are now 10 days into their cyber incident (ransomware), systems are still offline.
I've written about the Colt Technology Services ransomware incident, with a focus on learnings for other organisations.
Guest appearance by @leakix for finding the webshell at Colt.
Colt are now 15 days into their cyber incident, the same systems are still offline.
Colt’s status page has been revised, removing most of the prior updates, with a new bolded statement around customer systems. https://www.colt.net/status/
The separate cyber incident page, detailing what happened, isn’t linked anywhere on their website and is set to noindex: https://www.colt.net/go/cyber-incident/
By repeatedly linking the Colt cyber incident page, I have got it into a Google search for Colt cyber incident though - the content is just hidden from search. https://www.colt.net/go/cyber-incident/
We really should be over the point of companies trying to hide their cyber incidents, it’s race to the bottom stuff.
A net side effect of Colt using noindex, btw, is my blog is the top Google hit with a description - it has 5k clicks yesterday from Google - and contains this email.
It’s pretty much a textbook example of Colt’s comms strategy hurting their business.
If anybody is wondering, Warlock not publishing Colt Technology Services data is intentional, just asked them. Presumably they are negotiating with the victim org.
Colt are now on day 20 of their ransomware incident. Same services still down. In the replies here multiple people have also suggested number portability is also down, so telco customers cannot leave.
Interpipes 💙 (@[email protected])
@[email protected] Colt is still paralysed, all install activities still at stop. "Maybe" some news at the end of this week. Maybe.
Microsoft are one of the many orgs caught up in the Colt ransomware incident. They haven't told customers for whatever reason, there's nothing in the O365 status portal for it.
If you use Teams with a purchased phone number... try not to have a problem 🤣 HT @cwatu
Colt have updated their cyber incident page to say they are having problems billing customers and issuing invoices.
However they may still apply late payment charges (good luck with that btw).
Colt are now on day 24 of their ransomware incident, same systems still down. I've heard from many people now that Colt are downplaying the seriousness of their situation and that they've effectively lost their back office IT.
Colt are on day 28 of their ransomware incident.
They’ve updated their cyber incident page, which isn’t linked on their website anywhere and is set to not index on search engines, to say they are committed to transparency.
They’ve entered the recovery phase, where they are rebuilding systems.
All of the offline customers systems from day one of the incident are still listed as offline btw.
Eg the Colt customer portal from the beginning of the thread. https://online.colt.net/
Colt appear to be outright lying in their latest cyber incident comms to customers. They’re saying the threat actor only post document titles to the dark web, however they neglect to mention they know the attacker C2 server, and they know what files were exfiltrated by the threat actor.
Their IR made a bunch of Opsec errors, including putting their IR reports into public sandboxes and submitting URLs of customer files to VirusTotal. I have receipts.
Colt have told some enterprise customers they will be unable to deliver new orders until early 2026.
In a new update on their cyber incident, Colt Technology Services say they are aiming to restore a majority of services by or around December. If that completes on time it should be around ~4 months since the incident began.
Been asked for an update on Colt Technology Services ransomware incident... there is none. The same services offline since day one of the incident (August 12th) are still offline today and there's been no updated customer comms for 10 days.
Colt's published an update for customers on their ransomware incident. https://www.colt.net/go/cyber-incident/#update
Colt said they would have key capabilities restored at the beginning of October. It’s October now and the same systems are still offline, and they’ve published no weekly update. https://www.colt.net/go/cyber-incident/
It turns out Colt have decided to stop updating their cyber incident page (hidden from Google) and started emailing the same template to customers instead, while talking about their commitment to transparency. Here’s their latest update.
Colt Technology Services have decided to start updating their cyber incident page again. In their latest update, dated both 29th September, 2025 and 6th October, 2025, they say they have rebuilt 2/3rd of their laptops so far, almost two months into the incident. As far as I know this is the first confirmation ransomware made it to laptops.
I pinged a staff member on LinkedIn who said they haven’t had a PC for the duration of the incident 😬
It’s just over 2 months into the Colt Technology Services ransomware incident. Their billing system is now back online so they’re invoicing customers for prior months, and they’re working on service restoration (really full rebuilds).
They’ve also set up a separate page about their cyber incident which is set to index on Google - however it says nothing about what actually happened, instead doing the Obama medal on itself for response. The actual customer page with updates is set to noindex.
Colt are still my biggest fans on LinkedIn, it’s several thousand visits this month over this thread 😅
for the record I know they’re the victim and I know these incidents suck. But it’s kinda important there’s external coverage of these things, especially when it relates to Critical National Infrastructure firms.
Colt restored their VMware Horizon remote access system today
Latest on Colt Technology Services restoration from Warlock ransomware incident, they're approaching 3 months since their incident began.
Colt are continuing to restore services after their August ransomware incident. https://www.colt.net/status/#updates
A@GossiTheDog 'New orders are being accepted' ... misleading, MS says multiple entire markets are still unavailable
Brian Clark@GossiTheDog CORRECTION: I’m your biggest fan on LinkedIn. Thanks for sharing this stuff.
lp0 on fire 
@GossiTheDog, black text, something like 50% transparency? (Looks grey enough for me to call it that.)
Somebody at Colt has evidently failed on basic accessibility…
Edward Dore@GossiTheDog The rather vague update that Colt emailed out to customers on the 29th is available at https://www.colt.net/go/customer-communications-translated-versions/#english
Colt IT Incident - Customer Communications - Translated versions - Colt Technology Services
English Read statements > Français Veuillez consulter nos communications > Deutsch Lesen Sie unsere Stellungnahmen > Italiano Consulta le comunicazioni ufficiali> Español Lee nuestros comunicados > 日本語 詳細を確認する > 1. EN Read our statements We’re committed to keeping you updated whenever we know more information. Please see here a list of our statements we will...
Andrei Kucharavy@GossiTheDog "Recent cyber incident targeting our Business Support System (BSS)" - are they saying it was Salesforce compromise? Potentially an exploit chain stemming from the Salesloft breach from August?
Jeffrey@GossiTheDog what’s the update on your Internet? A repair was impacted too, right?
Alan Miller 
🇺🇦@GossiTheDog they're a great example to trot out for anyone who questions why you plan *for* the breach as well as for preventing the breach.
I love this, so I@GossiTheDog just in time for the Great Telco Christmas Shutdown, which is also why they’re saying mid-Jan to restore functionality
@GossiTheDog came up again to have latest on this. Seeing few of your post has been deleted ?
Alex@GossiTheDog oh no. So uh, is HR going to reimburse for the shovels they keep buying?
phil@GossiTheDog There does not appear to be some kind of mirror of these IR reports somewhere, right? Obviously asking as a friend as I'd guess that nobody would want them circulated more than necessary...
GavG@GossiTheDog Wholesale APIs still offline, and resellers are still yet to receive any direct formal communications about any of this (at least in my circles). Not a good look for future business.