T-Mobile faces cyber attack by Lapsus$

The systems of the US mobile network company - T-Mobile has been compromised by Lapsus$ cyber crime gang. They stole the source code relating to various products in the days immediately prior to the arrests of various members

The cyber criminal’s private Telegram chat logs, accessed by Brian Krebs of KrebsOnSecurity, highlights how Lapsus$ bought compromised T-Mobile employee credentials on underground sites such as Russian Market, which they used to perform SIM-swapping attacks.

A SIM-swap – a kind of cyber attack where a mobile operator is convinced to switch the phone number of a targeted device to a new device and giving the new owners access to information stored on the original owner’s device, such as banking or credit card details, and enabling them to take over other accounts by resetting credentials. Such attacks are quite often deployed to steal cryptocurrency.

Krebs, an independent investigative journalist, reported that the gang used its leverage to access T-Mobile’s customer management tool, Atlas, and from there attempted to access accounts associated with US government bodies and agencies, including the FBI. This prompted arguments between members worried they had gone too far, which seems to have resulted in the group’s ringleader, who went by the handle White, pivoting to steal source code instead.

In a statement circulated to the media, a spokesperson for T-Mobile’s US operation said, “Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software.

“The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”

Lapsus$ shot to prominence in early 2022, thanks to a series of high-profile attacks on tech companies including Nvidia, Samsung, Ubisoft, Okta and Microsoft. The gang was mistakenly thought to be a ransomware gang at first, but it does not appear to have ever deployed ransomware at any of its targets, preferring instead to simply exfiltrate and leak data while demanding a pay-off, as opposed to encrypting it.