More details have emerged about the Lapsus$ attack on T-Mobile. The hack took place in March, and the group stole the company’s source code.
First reported by Krebs on Security, T-Mobile has confirmed the attack to the media. However, the US-based company said the system Lapsus$ accessed did not contain any customer or government information or other sensitive information.
Krebs obtained documents that showed the hacking collective planned the attack one week before seven of its members were arrested in the UK. Lapsus$ members bought employee credentials from the dark web, allowing them to access T-Mobile’s internal working tools. This allowed them to perform SIM swaps that gave control of a victim’s phone line to the attacker. Lapsus$ hackers could then get data about the victim’s texts, calls, etc. They could also hijack any messages incoming for multi-factor authentication.
Lapsus$ didn’t stop at T-Mobile’s individual customers, according to the screenshots of the messages shared by the group’s members. They tried to hack into the FBI and Department of Defense’s T-Mobile accounts as well but failed as the accounts implemented extra verification measures.
In a statement released to The Verge, T-Mobile said, “Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software. The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”
Lapsus$ became known in December 2021 when it hacked Brazil’s Ministry of Health and deleted more than 50 terabytes of data, including information connected to the country’s fight against Covid-19. The group then started targeting top tech companies in the US. It successfully compromised Nvidia, a chipmaker. Other victims include Ubisoft, Microsoft and Samsung.
The group openly operated on Telegram, with more than 40,000 followers after it became known it was stealing data from big companies. However, Lapsus$ had a more exclusive Telegram group with only seven core members.
Messages from the exclusive group revealed that Lapsus$ repeatedly bought T-Mobile’s employee’s accounts whenever the ones they were using got blocked. The company has about 75,000 on its payroll, so there was enough to choose from.
The group’s big break in the T-Mobile hack came when they could access the Atlas software that powers many of the company’s operations.
Why Lapsus$ was fixated on T-Mobile’s source is not clear, as it could have targeted the accounts of wealthy T-Mobile users to commit fraud. Krebs on Security postulated that the group had buyers for the source code lined up already or was hunting for security weaknesses that could help hack the company further. However, from past actions, it seems Lapsus$ wants to find and delete source code and then demand a ransom to return the deleted documents.
The leader of Lapsus$, known as White, was ultimately betrayed by other group members after he had doxxed them.