T-Mobile becomes next Victim of Lapsus$ Hacking Group
In addition to large corporations like Microsoft and Okta, the Lapsus$ security gang appears to also be responsible for stealing 30GB of source code from T-Mobile after accessing the carrier’s network in March. The hackers were able to access the code by purchasing credentials on a dark web forum in March.
KrebsOnSecurity reports that Lapsus$ also accessed an internal T-Mobile tool called Atlas, that can be used to manage customer accounts. With access to Atlas, the criminals could have used it to enable SIM-swapping attacks. However according to chat logs, Lapsus$ didn’t use the tool in that way.
Instead, the group’s leader, appears to have disconnected from T-Mobile’s VPN because Atlas couldn’t be used to access source code for the company’s technologies despite pleas from other Lapsus$ members.
T-Mobile commented to KrebsOnSecurity:
“Several weeks ago, out monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software. The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials use were rendered obsolete.”
KrebsOnSecurity says “it seems likely that the group routinely tried to steal and then delete any source code it could find on victim systems” so “it could turn around and demand a payment to restore the deleted data.”
The report goes on to show that the hacking group has a lack of operational savvy by recounting the repeated use of credentials purchased from hackers, the decision not to create backups of the stolen T-Mobile source code, and more.
Blunders like these could have cost Lapsus$ money and helped law enforcement find members of the group. But it doesn’t change the fact that T-Mobile has become just another high-profile organization that the hacking group has compromised in fairly short time.
Story via PC Magazine