Skip to content
T-Mobile confirmed that the extortion group Lapsus$ gained access to their system “several weeks ago.”
The company responded to a report by a journalist Brian Krebs, who accessed the internal chats from the private Telegram channel of the core Lapsus$ gang members.
They added that it has mitigated the breach by terminating the hacker’s group access to its network & disabled the stolen credentials that were used in the breach.
Ransomware Attack
Lapsus$ is a cyber-gang that came into prominence when it waged a ransomware attack against the Brazilian Ministry of Health in Feb 2021, compromising the data of COVID 19 vaccination data of millions. More recently, in March, the City of London Police arrested 7 people suspected of being connected to the gang.
Private messages found by Krebs showed that the Lapsus$ hacking group get hold of the T-Mobile VPN credentials on illegal platforms such as the Russian Market. Using these credentials Lapsus$ members can gain access to the company’s internal tools, e.g. Atlas, an internal T-Mobile tool for managing customer accounts. It would help them to conduct a “Sim-Swapping” attack.
Sensitive Information
In this attack, the hacker hijacks the victim’s number by transferring it to the device owned by the attacker. This lets the hackers obtain sensitive information such as phone number or any message sent for multi-factor authentication.
After gaining access to ATLAS, Lapsus$ hackers also attempted to compromise the T-Mobile accounts associated with the FBI & Department of Defense, but were unsuccessful as an additional verification method was linked to those accounts.
Bad Actor
“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software,” stated a spokesperson from T-Mobile.
T-Mobile explained that despite the access attempts to the internal system ‘Atlas’ no sensitive information was leaked. “The systems accessed contained no customer or govt. information or other similar sensitive information, & we have no evidence that the intruder was able to obtain anything of value,” T-Mobile added.
Compromised Credentials
“Our systems & processes worked as designed, the intrusion was rapidly shut down and closed off, & the compromised credentials used were rendered obsolete.”
Recently, Lapsus$ attacks increased & they mainly target the source code of big technology companies, e.g. Microsoft, Samsung, Okta, & Nvidia.
Unsophisticated
The attacks conducted by Lapsus$ are unsophisticated, usually initiated by the stolen credentials from underground marketplaces, such as the Russian Market, & then an attempt to bypass the multi-factor authentication using social-engineering techniques.
“From a security pro who fought LAPSUS$: It forces us to shift thinking about insider access. Nation states want longer, strategic access; ransomware groups want lateral movement.
LAPSUS$ asks: What can this account get me in the next 6 hours? We have not optimised to defend that.” outlined Brian Krebs in a tweet on Mar 24, 2022.
Unconventional Techniques
Organisations should ramp up to protect from the groups such as Lapsus$. The unconventional techniques used by Lapsus$ to target major organisations can be copied by other groups too. Insider threat is brought into focus again by Lapsus$ & forces the organisation to reassess the challenge it possesses.
“Threats like Lapsus$ will not go away. There is a lot of money to be made & ‘hacker influence’ to be gained,” suggested Karl Sigler, Senior Security Research Manager, Trustwave Spider Labs.
Attacks on T-Mobile Over Years
T-Mobile suffered 6 different data breaches since 2018. A leaky API caused a data breach for 2.3m customers in 2018. 1 year later in 2019 1.26m prepaid were affected by a breach.
In Aug 2021 T-Mobile suffered another data breach, where more than 40m customer’s data were stolen. The account belongs to the former or prospective customer who has applied for credit with the company.
The records of the customer were up for the sale in the same year, & the breached data include Personal Identifiable Information e.g. US Social Security Numbers, Phone Numbers & Security PINs.
