T-Mobile suffered another data breach, this time by young hackers who were part of the LAPSUS$ group. While T-Mobile has stated that no customer or government information has been compromised, it appears that LAPSUS$ has gained access to T-Mobile’s source code repositories along with its customer account management system.
According to a post by Krebs on Security (via TechCrunch), leaked messages between members of the LAPSUS$ cybercrime group show that they successfully hacked T-Mobile several times in the past month.
The hackers gained access to T-Mobile’s internal systems by taking multiple employee accounts with purchases from sites such as Russian Market, social engineering, and other information theft methods.
The reports show that every time LAPSUS$ got disconnected from a T-Mobile employee’s account — either because the employee was trying to log in or change their password — they simply found or bought another set of T-Mobile VPN credentials. T-Mobile currently has approximately 75,000 employees worldwide.
LAPSUS$ chats and screenshots show that on March 19 they hacked into the T-Mobile Atlas customer management system and searched for “accounts associated with the FBI and the Department of Defense.” But as it turned out, LAPSUS$ did not have additional credentials to access this information.
While some LAPSUS$ members “desperately wanted to trade the SIM cards of some wealthy targets for money,” their 17-year-old leader “White” decided to forgo VPN access to the Atlas system and focused on exploring Bitbucket and T-Mobile. Weak accounts.
Approximately 12 hours later, “White” shared screenshots showing that the script he created downloaded over 30,000 T-Mobile source code repositories, which included content from various operator projects.
In response to the LAPSUS$ hack, T-Mobile shared the following statement with Krebs on security issues:
see also
A few weeks ago, our monitoring tools detected an attacker using stolen credentials to access internal systems hosting operating tools software. The systems that were accessed contained no customer or government information or other similar sensitive information, and we have no evidence that the attacker was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was quickly stopped and closed, and the compromised credentials used were out of date.
As to why LAPSUS$ chose to focus on T-Mobile’s source code rather than malicious SIM spoofing, Krebs on Security believes they may have been looking for more serious security flaws, already had buyers for the source code, or it was potentially just “one big capture the flag contest”.
The most active members of LAPSUS$ were arrested shortly after the T-Mobile hack.
Reading now
The post T-Mobile hacked by LAPSUS$ cybercriminal group through compromised employee accounts appeared first on Gamingsym.