MSP cybersecurity news digest, September 1, 2025

Orange Belgium, with a revenue of €1.34 billion in 2024, has disclosed that attackers stole data from roughly 850,000 customers during a July cyberattack. 

The telecom provider, serving over three million customers in Belgium and Luxembourg, confirmed that compromised data includes names, phone numbers, SIM card details, PUK codes and tariff plans, but not passwords, emails or financial information.  

A spokesperson for Orange Belgium stated that although the threat group behind the breach has been identified, details cannot be revealed due to the ongoing investigation. Impacted customers are being notified via email or SMS and warned to watch for phishing attempts exploiting the stolen information. For more information, Orange Belgium customers can consult the important information webpage.  

Orange Belgium stressed that its July breach was not connected to the global telecom intrusions attributed to China’s Salt Typhoon group. However, CISA, alongside the NSA, U.K. NCSC and partners from 13 countries, has published a joint advisory linking Salt Typhoon’s long-running espionage operations to three Chinese technology firms supporting the country’s Ministry of State Security and PLA. These campaigns, active since at least 2021, have heavily targeted telecommunications providers worldwide, exploiting known network device flaws to steal sensitive communications data. 

Colt Technology Services, a UK-based telecom provider with a revenue of €2.19 billion in 2024, confirmed that customer documentation was stolen in a ransomware attack by the Warlock group. Operating across 30 countries, Colt manages 75,000 km of fiber networks connecting 900 data centers. 

The company, which first disclosed the incident on August 12, acknowledged that criminals accessed certain files containing customer information and listed document titles on the dark web. Since then, Colt released a statement in early September on the containment of the incident and continues to drive full restoration efforts.  

Customers concerned about the breach can contact Colt’s dedicated call center to request a list of filenames exposed. Meanwhile, the Warlock gang has begun auctioning what they claim are one million stolen documents for $200,000 on the Ramp cybercrime forum, allegedly including financial and network data. 

Researchers note that the group, linked to Chinese threat actors, initially used leaked LockBit and Babuk encryptors before rebranding as Warlock in June 2025. Recent reports also indicate that they exploited a SharePoint vulnerability to infiltrate corporate networks, with ransom demands ranging from $450,000 to several million dollars. 

A cyberattack on Miljödata, which supplies IT systems to about 80% of Sweden’s municipalities, has disrupted services in over 200 regions. 

Reports indicate that the attackers demanded a ransom of 1.5 Bitcoins (approximately $168,000) and may have stolen sensitive personal data. Miljödata’s software is widely used for handling medical certificates, occupational injuries, and work environment reporting, making the disruption significant. 

CEO Erik Hallén confirmed the impact and said the company is working with experts to investigate and restore services. Several municipalities, including Halland, Gotland, Skellefteå, Kalmar, Karlstad and Mönsterås, have warned citizens about potential data leaks. Authorities, including Sweden’s civil defense minister and CERT-SE, are assessing the scope of the incident while the police investigate, though no ransomware group has yet claimed responsibility. 

Researchers have uncovered a social engineering campaign dubbed ZipLine, which targets U.S. supply chain manufacturers with a stealthy in-memory malware called MixShell.

Unlike traditional phishing, attackers initiate contact through company “Contact Us” forms, engaging employees in weeks of professional conversations, sometimes sealed with fake NDAs, before sending malicious ZIP files. These files contain Windows shortcuts that execute PowerShell loaders, deploying MixShell, which leverages DNS tunneling and HTTP for command-and-control while enabling remote access, persistence and data theft. 

The campaign focuses on industries critical to the supply chain — such as manufacturing, hardware, semiconductors, biotech, and pharmaceuticals — while also impacting companies in Singapore, Japan and Switzerland. To avoid detection, attackers abuse legitimate services like Heroku for hosting and repurpose abandoned U.S. business domains with clean reputations to bypass security filters. 

ShadowSilk, a newly tracked threat cluster, has carried out attacks against 35 organizations across Central Asia and the Asia-Pacific government entities.  

Researchers report that the intrusions are mainly aimed at data theft and show overlaps with activity previously linked to YoroTrooper, SturgeonPhisher, and Silent Lynx. Victims include government agencies in Uzbekistan, Kyrgyzstan, Myanmar, Tajikistan, Pakistan and Turkmenistan, along with targets in the energy, retail, manufacturing, and transportation sectors. The group is believed to operate as a bilingual crew, with Russian-speaking developers tied to legacy YoroTrooper malware and Chinese-speaking operators leading intrusions. 

ShadowSilk relies on spear-phishing emails that deliver password-protected archives, eventually deploying custom loaders that conceal command-and-control traffic through Telegram bots. Their toolkit includes exploits for Drupal and WordPress, penetration-testing tools like Metasploit and Cobalt Strike, RATs, web shells, and even darknet-purchased panels such as JRAT and Morf Project. Once inside a network, the attackers move laterally, escalate privileges, capture files, screenshots and webcam images, and exfiltrate them disguised as Telegram traffic.