April 26, 2022

Lapsus$ Breached T-Mobile

Industry: N/A | Level: Strategic | Source: Krebs On Security

Through review of activity from data extortion group Lapsus$, independent researcher, Brian Krebs, has identified a breach of wireless network operator, T-Mobile in March 2022. Krebs obtained private chat messages from the Lapsus$ members and indications are the group has breached T-Mobile multiple times, obtaining source code for various company projects to extort the communications provider for financial gain. T-Mobile has confirmed the breach, however, has stated customer and government data was not compromised in statements to Bleeping Computer, “The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value.” Chat logs, examined by Krebs, dove into the group’s operations thanks to the member’s candid conversations. The Lapsus$ hackers obtained access from purchasing compromised systems and credentials on the Russian Market. Additionally, the group has enticed insiders to supply access, with T-Mobile employees providing internal access and capabilities to Lapsus$ hackers to conduct “SIM swaps.” Although the hackers were shut out from time to time with T-Mobile employees logging into their own account or conducting a password change, Lapsus$ was able to discover or purchase another set of T-Mobile’s VPN credentials. A T-Mobile customer management tool, Atlas was compromised by Lapsus$ on March 19th, 2022, with the threat actors attempting to access accounts related to the FBI and Department of Defense however, the information required “additional verification procedures before any changes could be processed” thwarting the attackers’ attempts to access government account data