Criminal group Lapsus$ successfully attacked T-Mobile in March of this year.
According to research by security blog KrebsOnSecurity, Lapsus$ gained access to T-Mobile’s internal systems on several occasions. T-Mobile’s US subsidiaries were likely affected. In a response to KrebsOnSecurity, T-Mobile confirmed the incident.
Lapsus$ managed to penetrate systems and access data, similar to the incidents at Samsung, Okta, Globant, Microsoft and Nvidia. Among other things, they gained access to Atlas, an internal T-Mobile tool for managing customer accounts. According to KrebsOnSecurity, Lapsus$ managed to access sensitive customer account data, including the US Department of Defense. T-Mobile denies the theft of customer data.
Insight into Lapsus$
Some Lapsus$ members were arrested in March of this year. The logs of Lapsus$’s Telegram chat channel provide insight into their methods. The cybercriminals often gained initial access to companies’ systems by purchasing compromised credentials.
Furthermore, Lapsus$ tended to social engineer employees into bypassing MFA systems and VPN networks. Several T-Mobile employees were attacked with ‘SIM swaps’, which allowed the hackers to listen in and read along with employees’ mobile devices.
Source code
The logs indicate that Lapsus$’s leader — a 17-year-old Brit — called on members to focus on stealing source code. In the attack on T-Mobile, Lapsus$ disabled the VPN connection to the internal Atlas system in an attempt to retrieve source code. Lapsus$ has attempted to extort victims by threatening to publish source code in the past.