The 2025 UK cyber disruption we can’t blame on the IT helpdesk
As Jaguar Land Rover (JLR) announces a return to operations after a six-week disruption, a lengthier, less publicised UK-based cyber-attack recovery remains unresolved.
Perhaps the relative quiet is because Colt Technology Services, a critical connectivity and trading network serving major banks and stock exchanges in ~30 countries, is not a household name like JLR, Co-Op, or M&S. Or perhaps it’s because the narrative doesn’t fit the now-expected Scattered Spider storyline. Either way, understanding the root cause of Colt’s disruption is essential to avoid a blinkered conversation about why significant operational disruption events continue to occur.
Colt’s disruption began on 12 August 2025, about two weeks before Jaguar Land Rover’s outage, when customers reported service issues across its platforms. While core systems were gradually restored, Colt’s update in early October showed its customer portal, hosting APIs, and voice-on-demand tools are still offline. Reports also suggested lingering laptop issues among staff, indicating a long and complex recovery.
Causes and consequences
Considering the government-level scrutiny on JLR, M&S and Co-Op, it is fair to question why the Colt breach occurred and whether it was preventable.
Several elements are worth exploring:
- On the face of it, the exploitation of a SharePoint remote code execution vulnerability (CVE-2025-53770), possibly using a bypass technique, likely allowed attackers to escalate access internally.
- But was this exploitation simply down to patching issues? Or were services exposed that should never have been? Could exploitation by the linked threat actors, Warlock and Storm-2603, have been avoided?
- This should serve as a reminder that defenders must not become overly fixated on Scattered Spider or the assumption that IT helpdesk manipulation will now become the dominant initial access vector for their organisation.
- Just as Scattered Spider (and various associated groups) are a mix of affiliates rather than a single entity, Warlock ransomware also operates within a broader ecosystem, and indicators suggest collaboration with the China-based actor Storm-2603.
- As observed in other attacks, Storm-2603 TTPs include IIS backdoor installation and Bring Your Own Vulnerable Driver (BYOVD) abuse (as per Checkpoint), which may indicate potential APT or espionage-oriented motives.
- When the newly emerging Warlock has also targeted other telcos Orange and the Japanese ISP Accsnet.com since August, one may be concerned about a two-fold threat of ransomware extortion and espionage. While Storm-2603’s TTPs do increase the probability that activity is intelligence-oriented, they are not conclusive proof.
To make sense of all the overlapping names and infrastructure, the following diagram maps out the likely or claimed connections between Colt, Storm-2603, Warlock, and potentially related telecom attacks discussed here.
Most importantly, independent researcher Kevin Beaumont has highlighted several transparency issues during incident recovery. The company initially described the disruption as a “technical issue” with no data loss before later acknowledging potential file exfiltration after Warlock posted data on its leak site.
Beyond the immediate downtime, the incident may have lasting reputational effects. For a provider that underpins banking networks, data centre connectivity, and telecommunications infrastructure, the real damage lies not only in service disruption but in the erosion of customer trust when assurances given during an incident later prove to be incomplete.
So there are several lessons to draw from this incident concerning attack surface management, readiness, and recovery.
Were access and escalation preventable?
The exploitation of a SharePoint remote code execution vulnerability (reported as CVE-2025-53770), possibly using a bypass technique, likely allowed attackers to escalate access. But defenders cannot simply dismiss the risk with ‘we’d have patched that in time’. In theory, an internal-facing SharePoint instance should rarely be exposed directly to the public internet, regardless of patch status.
In practice, however, there are several reasons why an organisation like Colt might have ended up with a publicly reachable, exploitable SharePoint service.
Some are more preventable than others:
- Remote collaboration and client access
- Hybrid or legacy deployment complexity
- Shadow IT or poorly documented exposure
- Reverse proxy or load-balancer misconfiguration
Most of these exposure scenarios could still have been avoided through better asset discovery, stricter exposure management, stronger authentication, or improved proxy controls. It’s important to regularly monitor that every public-facing service is serving a justified purpose.
SharePoint has faced multiple known CVEs and zero-days that could leave a public instance vulnerable even if patched on day one. A safer approach is to place it behind a hardened edge such as Azure Front Door or an equivalent proxy with WAF and M365 authentication, and to ensure the origin server sits within a corporate VPN or private network.
Beyond this initial access, we do not know details of how threat actors may have escalated access or privileges within Colt’s environment. We can, however, break down Warlock ransomware and Storm-2603’s collaboration and TTPs.
Threat actor TTPs
Since emerging in June 2025, Warlock has sparked debate over whether it is a new ransomware brand, a rebrand of Black Basta, LockBit, or Babuk, or simply a payload used by Storm-2603. Several incidents attributed to Warlock lack Storm-2603’s typical tooling, such as the ToolShell framework or IIS web-shell backdoors, suggesting Warlock often operates independently rather than as a direct extension of Storm-2603.
In the Colt intrusion, evidence from public analysis (most notably Kevin Beaumont’s investigation) shows strong similarities in both timing and technique, including the use of IIS web shells typical of Storm-2603’s operations. When viewed alongside research from Microsoft and Check Point linking Storm-2603 to SharePoint exploitation and ransomware delivery, the available evidence points to at least a shared toolset or temporary collaboration between the two groups.
The following diagram below shows a combined attack flow for Storm-2603 and Warlock, illustrating a hypothetical attack chain based on known TTPs. The two techniques potentially indicative of espionage, namely installing IIS backdoors and BYOVD (Bring Your Own Vulnerable Driver), are highlighted in gold.
Warlock has claimed attacks on Orange Belgium and Orange France, though both firms have denied serious compromise. The Japanese ISP Accsnet.com was also listed among alleged victims. Ransomware groups often exaggerate, while victims downplay impact. Unfortunately, the majority of incidents do not surface even the limited visibility offered by the Colt breach.
What makes this overlap particularly notable is that Colt, Orange, and Accsnet operate within telecommunications and network infrastructure. In that context, it is worth analysing Storm-2603’s TTPs that blur the line between financially motivated ransomware deployment and activity more consistent with espionage.
The potential dual motive
Two of Storm-2603’s known behaviours stand out for their potential APT crossover:
- Installing IIS DLL backdoors – Web server implants are a classic method for stealthy, long-term access and data collection; they survive removal of surface artefacts (for example web shells) and have been repeatedly used by state-aligned APTs to maintain covert footholds. While criminal actors may use server implants for convenience, the specific aim of harvesting machine keys and credentials via on-prem SharePoint vulnerabilities points to an intent beyond one-off extortion. Both aspx web shell and IIS_Server_dll.dll (attributed to Storm-2603 by Microsoft) have been observed following the exploitation of this SharePoint vulnerability CVE-2025-53770. This is strongly suggestive of advanced sophistication, stealthy with long dwell time, potentially leaning toward espionage-oriented persistence.
- BYOVD (Bring Your Own Vulnerable Driver) – Deliberately loading a signed but vulnerable kernel driver to neutralise endpoint defences requires kernel expertise and planning, and it often defeats common enterprise protections. That sophistication and the observed use alongside DLL sideloading to deliver multiple ransomware families resembles techniques favoured by well-resourced APTs. This is indicative of advanced, possibly state-style tradecraft.
There is precedent for this crossover. Nation-state groups have been known to occasionally deploy ransomware to generate revenue. Conversely, ransomware has occasionally been used as cover to mask covert access or espionage. If such dual intent is present here, the full impact may never be known, as espionage campaigns often persist for years before detection or remain undiscovered entirely.
Extortion and data compromise
Warlock said Colt had limited time to pay. They now claim “1 million files” are still being auctioned. Neither the cybercriminal nor the victim is a reliable narrator. Warlock’s extortion tactics are typical; some victims have been leaked, others have not.
Warlock’s data leak site where the claimed Colt breach (top left) and Orange (bottom right) have been published.
The veracity of their claims, whether ransom was paid, and the likelihood of further supply chain risk all remain uncertain.
Despite the headlines about Warlock’s targeting of major telecoms such as Colt and Orange, analysis of Warlock’s DLS shows that telecoms only account for around 4% of the group’s known victims. However, the wider spread across Japan, Taiwan, India, and Turkey as regions of strategic and geopolitical importance may indicate an operational pattern that goes beyond simple ransomware opportunism.
The bottom line
Just as unsubstantiated claims have emerged around possible Russian state involvement in the JLR incident, the potential dual motive of APT involvement in Colt’s case, while possible, remains unproven. However, from a business-impact perspective, the theft of intellectual property or long-term espionage persistence could harm sectors like finance and telecommunications as severely as temporary operational disruption. And even if your organisation “just sells cars”, threat actors with nation-state capabilities might still be prepared to use zero-day exploits.
This year, particularly in the UK, attention has been dominated by Scattered Spider following high-profile incidents at M&S, Co-Op, and JLR. As a result, organisations have been disproportionately requesting JUMPSEC to perform adversarial social engineering and IT helpdesk compromise, often at the expense of more routine but equally critical security fundamentals. Don’t overweight social-engineering scenarios at the expense of securing exposed services.
Major cyber disruptions often stem from incomplete visibility, weak internal controls, and inconsistent communication during recovery, rather than from a single actor or tactic. Strengthening attack surface management, validating detection and escalation playbooks, and clear incident and business continuity planning may not sound dramatic, yet they remain the most effective ways to reduce impact and uncertainty when disruption occurs.
Practical strategies and mitigations
- Search for SharePoint indicators such as spinstall*.aspx, debug_dev.js, and the IIS_Server_dll.dll implant paths on SharePoint servers.
- Apply July/updated SharePoint fixes, rotate ASP.NET machine keys, and restart IIS as Microsoft directs.
- Enable AMSI Full Mode and EDR in block mode on SharePoint servers.
- Validate your kernel-mode vulnerable driver blocklist/HVCI status if you mention BYOVD. Link the mitigation to policy.
- From a supply chain perspective, confirm with your telco which portals and APIs you depend on, and plan manual fallbacks during outages.
- Perform an external attack-surface sweep for any internet-facing SharePoint or admin interfaces.
- Implement strong authentication: for example, place the SharePoint site behind Azure Front Door with Entra ID SSO or your enterprise VPN where business use allows.
- Test response preparedness: simulate a scenario such as “supplier portal down for 6–8 weeks”; review incident communications to avoid premature minimisation and align legal, PR, and IR on what can be asserted when evidence is limited.
- Threat hunt and harden: implement Microsoft’s hunting queries for ToolShell, tune detections for PsExec/Impacket from web servers, and enforce LSA protection and Credential Guard.
References
- Check Point – Storm-2603 operations: https://research.checkpoint.com/2025/before-toolshell-exploring-storm-2603s-previous-ransomware-operations/
- Colt service status updates: https://www.colt.net/status/
- Kevin Beaumont – Colt analysis: https://doublepulsar.com/colt-technical-services-gets-ransomwared-via-sharepoint-initial-access-some-learning-points-617da7e27ebc
- Kevin Beaumont – ongoing commentary: https://cyberplace.social/@GossiTheDog/115066666281845689
- Microsoft – Storm-2603 exploitation update: https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
- MDSec – IIS backdoor techniques: https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/
- Rapid7 – SharePoint zero-day analysis: https: //www.rapid7.com/blog/post/etr-zero-day-exploitation-of-microsoft-sharepoint-servers-cve-2025-53770/
Sean Moran
Sean is a security writer with a focus on ransomware extortion and its impact on the wider cyber security industry.