Colt Technology Services has admitted that data was stolen in a cyber incident. It had previously refused to do so, while hacker group Warlock had already made it clear that it was selling the stolen customer data to the highest bidder.
The consequences of the attack are still being felt. The Colt Online customer portal and the Voice API platform have been out of service since August 12. Some customers are also experiencing problems with the number hosting API and the Colt On Demand network-as-a-service platform.
No timeline has been given for the full restoration of normal operations. The company apologizes for the inconvenience to customers but says it is doing everything possible to restore services.
From denial to acknowledgment
Colt initially stated that only internal systems had been affected by Warlock. However, extensive investigations have shown that this is not the case. On a new page, the telco states that “some data” has been stolen; customers can request a list to see if they are mentioned by Warlock on the dark web. This does not necessarily correspond to the data that was actually stolen.
In fact, it is the opposite of what should happen. Normally, a company affected by a data breach informs customers that their data may have been stolen. Colt still claims not to know exactly what data has been stolen or whose information is involved. The incident response team is now working continuously with external investigators and forensic experts to determine the scale of the data breach.
Unusual auction strategy
The Warlock group chose an atypical approach to selling the stolen data. Instead of the usual double extortion, where part of the data is leaked first, a private auction is now taking place, ending on August 27. Normally, cyber attackers present a sample of the data they have obtained.
RansomHub used a similar strategy at Christie’s auction house, The Register notes. Experts suggest that this allows attackers to save face when they have not stolen enough valuable data to make a meaningful ransom demand.
SharePoint as a point of entry
Research by Trend Micro confirms that Warlock is one of the ransomware groups exploiting now-patched SharePoint vulnerabilities. Security researcher Kevin Beaumont suggested early on that this route was used at Colt.
The group appeared in June on the Russian cybercrime forum RAMP, where it encouraged criminals to get in touch “if they wanted to own a Lamborghini.” According to Trend Micro, Warlock quickly amassed an impressive list of victims, half of which were government organizations.
Read also: Telecom company Colt hit by cyberattack