Telecom company T-Mobile suffered a security breach in March after a cyberattack carried out by the Lapsus$ data extortion group known for its previous attacks against major technology companies such as Impresa, NVIDIA, Samsung, Vodafone, Ubisoft, Microsoft, Okta, and Globant. In many cases the group leaked large amounts of source code and other data stolen fr om victims.
The breach came to light last week after investigative journalist Brian Krebs shared the private chats between members of Lapsus$ in the week leading up to the arrest of its most active members last month.
According to the internal conversations, the group compromised T-Mobile systems several times in March and stole source code for a range of company projects. Hackers gained access to the telecoms giant’s network using initial access bought from sites like Russian Market, which sell access to remotely compromised systems, as well as any credentials stored on those systems.
The logs also show that Lapsus$ had no problems buying, stealing or sweet-talking their way into employee accounts at companies they wanted to breach. The hackers used social engineering techniques to trick employees at the targeted company to add one of their devices to a list of devices allowed to authenticate with the company’s VPN.
Lapsus$ continuously targeted T-Mobile employees who had access to internal tools that could allow the hackers to conduct so-called “SIM swapping” — an attack wh ere a hacker steals a victim’s mobile phone number by assigning it to a new SIM card. This allows the attacker to intercept a target’s text messages and phone calls, including any links sent via SMS for password resets, or one-time codes sent for multi-factor authentication.
T-Mobile has confirmed the security breach, but said that no customer or government information was stolen in the incident.
“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software. The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete,” the company said in a statement.
Earlier this month, the City of London Police charged two of seven teenagers arrested in March for their alleged connections to the Lapsus$ hacker group. Both defendants were released on bail, subject to certain conditions.