The infamous Lapsus$ hacking group broke into T-Mobile’s internal, sensitive, and confidential networks, and stole the telecommunication giant’s source code. T-Mobile has confirmed that its servers were attacked but insists that no customer or government information or other similarly sensitive information was accessed or stolen.
Right before police arrested seven of the Lapsus$ group's more prolific members in late March, the ransomware gang stole T-Mobile's source code. Security journalist Brian Krebs has shared screenshots of what is believed to be private Telegram messages that show the group targeted the carrier multiple times. While confirming the attack, T-Mobile said:
Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete. Systems accessed contained no customer or government information or other similarly sensitive information.
It is important to note that the Lapsus$ hacking group did not cripple T-Mobile defenses. Instead, the group accessed the company’s internal network and employee-only tools by procuring employee credentials. The group seems to have bought the credentials from Russian websites that specialize in the field of trading in stolen authorization and authentication tools.
Having gained access to some of T-Mobile employees’ credentials, the hacking group used the company’s internal tools such as Atlas, T-Mobile’s customer management system, to perform SIM swap attacks.
The SIM swap attacks quite possibly allowed the Lapsus$ group members to intercept safeguards used in two-factor authentication (2FA) techniques. Having access to a victim’s SIM card information, the group may have intercepted SMS messages or links to password resets, as well as One Time Password (OTP) codes, commonly used to perform multi-factor authentication.
It appears the Lapsus$ group wanted to steal sensitive information of not just T-Mobile but also other companies. Given the group’s past exploits, this attack on T-Mobile may have been another heist to hold its confidential data (and that of other companies) hostage, and later threaten to release it unless the group is paid.