On Friday, T-Mobile acknowledged that it had been the victim of a security breach incident in March, when the LAPSUS$ mercenary group gained access to its networks. The revelation came after investigative reporter Brian Krebs published internal conversations from LAPSUS$’s key members, revealing that the group had infiltrated the firm many times in March before the arrest of its seven members.
T-Mobile clarified in a statement that the breach happened “several weeks ago” and that the “bad actor” accessed internal networks with the help of stolen credentials. “The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value,” it added.
The first VPN credentials were allegedly obtained from illegal websites such as Russian Market in order to get control of T-Mobile staff accounts, allowing the threat actor to carry out SIM swapping attacks at any time. The chats suggest LAPSUS$ hacked T-Slack Mobile’s and Bitbucket accounts, exploiting the latter to obtain over 30,000 source code repositories, in addition to getting access to an internal customer account management application called Atlas.
In the short time since it first appeared on the threat scene, LAPSUS$ has become well-known for its hacks of Impresa, NVIDIA, Microsoft, Samsung, Ubisoft, Vodafone, Okta, and Globant. The City of London Police said earlier this month that two of the seven adolescents detained last month for their suspected ties to the LAPSUS$ data extortion group, a 16-year-old and a 17-year-old, had been prosecuted.