T-Mobile confirms Lapsus$ had access its systems

Pierluigi Paganini April 23, 2022

Telecommunication giant T-Mobile confirmed the LAPSUS$ extortion group gained access to its networks in March.

Telecom company T-Mobile on Friday revealed that LAPSUS$ extortion gang gained access to its networks.

The popular investigator and journalist Brian Krebs first surmised that the LAPSUS$ gang has breached T-Mobile after he reviewed a copy of the private chat messages between members of the cybercrime group.

T-Mobile Lapsus$
Telegram channels that were restricted to the core seven members of the group – Source KrebsonSecurity

The logs show the LAPSUS$ group has access to the network of T-Mobile multiple times in March, the hackers have stolen source code for multiple company projects.

The VPN credentials for initial access are said to have been obtained from illicit websites like Russian Market with the goal of gaining control of T-Mobile employee accounts, ultimately allowing the threat actor to carry out SIM swapping attacks at will.

“The bigger challenge for LAPSUS$ was the subject mentioned by “Lapsus Jobs” in the screenshot above: Device enrollment. In most cases, this involved social engineering employees at the targeted firm into adding one of their computers or mobiles to the list of devices allowed to authenticate with the company’s virtual private network (VPN).” wrote Krebs. “The messages show LAPSUS$ members continuously targeted T-Mobile employees, whose access to internal company tools could give them everything they needed to conduct hassle-free “SIM swaps” — reassigning a target’s mobile phone number to a device they controlled.”

T-Mobile Lapsus$ 2
LAPSUS$ leader White/Lapsus Jobs looking up the Department of Defense in T-Mobile’s internal Atlas system. – Source KrebsOnSecurity

The telecom company says no customer or government information was compromised, despite the images shared in the chats show the gang gaining access to the internal “Atlas” system, along to Slack and Bitbucket accounts.

“The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value,” T-Mobile said. “Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”

The gang obtained the VPN credentials for initial access to the target systems from darkweb marketplaces, then used the access to perform SIM swapping attacks.

“Perhaps to mollify his furious teammates, White changed the subject and told them he’d gained access to T-Mobile’s Slack and Bitbucket accounts. He said he’d figured out how to upload files to the virtual machine he had access to at T-Mobile.” wrote Krebs. “Roughly 12 hours later, White posts a screenshot in their private chat showing his automated script had downloaded more than 30,000 source code repositories from T-Mobile.”

Over the last months, the Lapsus$ gang compromised many prominent companies such as NVIDIASamsungUbisoft, Mercado Libre, Vodafone, MicrosoftOkta, and Globant.

Early April, the City of London Police charged two of the seven teenagers who were arrested for their alleged role in the LAPSUS$ data extortion gang. UK police suspect that a 16-year-old from Oxford is one of the leaders of the popular Lapsus$ group.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, T-Mobile)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment