T-Mobile confirms Lapsus$ breach, says no customer or government info accessed
Jonathan Greig April 22, 2022

T-Mobile confirms Lapsus$ breach, says no customer or government info accessed

T-Mobile confirms Lapsus$ breach, says no customer or government info accessed

T-Mobile on Friday confirmed reports that extortion group Lapsus$ gained access to their systems “several weeks ago.”

The telecom giant was responding to a report from journalist Brian Krebs, who gained access to the internal chats of the core Lapsus$ members. 

The chats obtained by Krebs show the group had wide-ranging access in several T-Mobile systems, including a tool the company uses to manage customer accounts. The hackers tried to get access to phone numbers connected to people within the FBI and Department of Defense but were unsuccessful.

The group initially got a foothold in the company by simply buying T-Mobile VPN credentials on illicit platforms like Russian Market. According to their chats, they targeted the telecom company because it would help them conduct “SIM swapping” attacks – where hackers hijack phone numbers used for two-factor authentication. 

In a statement to The Record, a T-Mobile spokesperson confirmed that their monitoring tools detected someone using stolen credentials to access internal systems that house operational tools software.

T-Mobile said that despite the screenshots showing Lapsus$ actors gaining access to the internal “Atlas” system, Slack and more, no sensitive information was stolen. “The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value,” T-Mobile said. 

“Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”

The chats released by Krebs depict Lapsus$ as a dysfunctional group operating under the persistent fear that law enforcement was after them. Members of the group have been arrested and released over the last year.

In one section of the chat, the leading members claimed to have stolen source code related to T-Mobile but kept it in an Amazon AWS server that was eventually seized by the FBI. 

“RIP FBI seized my server. So much illegal shit. It’s filled with illegal shit,” one Lapsus$ member wrote, according to the chats shared by Krebs. They opted to keep their stolen material in the cloud because they believed there would be nothing physical tying them to the hacks if raided or arrested.

T-Mobile is still recovering from a data breach last August that involved more than 40 million records belonging to former or prospective customers who had applied for credit with the company, as well as information on approximately 7.8 million current postpaid customer accounts.  

After the incident came to light, the company confirmed that the stolen information included first and last names, dates of birth, Social Security numbers, and driver’s license information.

Digital Shadows’ Ivan Righi said the breach shows how dangerous stolen credentials and social engineering attacks still are.

“Lapsus$ attacks aren’t highly sophisticated. They usually initiate their attacks by using stolen credentials and then attempt to bypass multi-factor authentication using social engineering schemes. It is likely that Lapsus$ may be acquiring these credentials from underground marketplaces and AVC sites, such as the Russian Market, which offer a variety of credentials for sale at a low price,” Righi said.

“The TTPs used by Lapsus$ are not novel, but it does highlight a common weakness in cybersecurity — the people/user. Even the most secure technical controls may be bypassed by threat actors who are highly skilled in social engineering, and users who use the same credentials across multiple accounts may be putting their organizations at risk. The Lapsus$ Group also highlights the dangers of using SMS messages or phone calls for multi-factor authentication, as phone-based social engineering attacks were a common attack vector for the group.”

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.