Brit telco Colt Technology Services says its recovery from an August cyberattack might not be completed until late November.
The Warlock ransomware group claims to be behind the digital break-in, which started causing issues on August 12. If Colt’s estimated return-to-normal timeframe is accurate, the time spent tackling the disruption would amount to more than three and a half months.
“We have been working around the clock to restore our core processes and systems and thank you for your patience and support during this time,” Colt said in its most recent update.
It went on to say: “We understand how important it is for customers to have a clear sense of timing. Our plan is designed to complete the majority of recovery efforts within 8-10 weeks, with critical customer services prioritized for restoration early in the phased approach.
“We will share an update on service delivery and service assurance soon and continue to update you weekly on our recovery and restoration efforts.”
Colt contracted external cybersecurity experts to probe its business support system (BSS) and operational support system (OSS).
It said these are two separate systems, and a pentest, indicated that the telco should have no reason to believe that the OSS is at risk of compromise.
“Additionally, we can also confirm that important foundational work in our recovery program is now complete, and we are moving at pace on the restoration of our core processes and systems, which we will bring back in a deliberate sequence.”
The telco’s service status page indicates that network infrastructure is operational, but issues persist with “some customer platforms,” which remain unavailable.
Colt’s customer portal, its network as a service portal, and a number of hosting APIs are still unavailable, meaning customers are limited in what they can do in terms of managing their network and voice services.
Additionally, its billing function remains affected by the attack, with Colt experiencing delays in issuing new invoices to customers.
It is still able to collect payments through contractually agreed methods, although direct debit collections are disrupted or delayed in some cases.
“As our payments processing is still active, there is no change to the payment due date listed on the invoice as per agreed terms,” said Colt. “This includes any delayed invoices, for which payment terms will start from the date the invoice is issued.
“We also expect some delays to issuing late payment invoices due to the ongoing disruption affecting our ability to raise invoices. For clarity, late payment charges may still apply for delayed payments on any issued invoices.”
Colt said it has notified the relevant authorities in 27 different countries, filing more than 75 reports to regulators, law enforcement bodies, cybersecurity agencies, and emergency services.
Warlocked
A quick glance at the alleged perp’s dark web page shows no change in the situation since August – Colt’s data remains up for auction.
A week after the telco confirmed the news of an attack, and after Warlock posted the company to its leak site, Colt said it was aware of the online posts about it, and that if customers wanted to know what data was available online, then it would check in with Warlock on their behalf.
Colt’s allegedly stolen data is not available for public view, per the usual double extortion playbook. Ransomware gangs’ so-called auctions are hotly debated, with many believing they serve as a facade for criminals to boast about the grandeur of the data they stole, without having to reveal just how sensitive, or ordinary, that data may be.
While the official method of entry is yet to be confirmed, multiple sources suggest that Colt may have been one of the many victims of the melange of SharePoint exploits over the summer.
Trend Micro’s report on Warlock, released around the time of the Colt attack, stated that it was one of the many ransomware groups and state-sponsored attack crews that were exploiting the vulnerabilities.
Infosec watcher Kevin Beaumont also said that, according to telemetry he had seen, Colt pulled its SharePoint server offline after the attack.
“It was also clear they’d done data exfiltration,” he wrote, adding that internet-scanning service LeakIX told him the same.
The Register contacted Colt for additional information. ®