Before police arrested seven of the group's more prolific members in late March, ransomware gang Lapsus$ stole T-Mobile's source code that same month. In a report published Friday and spotted by The Verge, security journalist Brian Krebs shared screenshots of private Telegram messages that show the group targeted the carrier multiple times.
"Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software," T-Mobile told Krebs. "Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete." The company added the "systems accessed contained no customer or government information or other similarly sensitive information."
Lapsus$ initially accessed T-Mobile's internal tools by buying stolen employee credentials on websites like Russian Market. The group then carried out a series of SIM swap attacks. Those type of intrusions typically involve a hacker hijacking their target's mobile phone by transferring the number to a device in their possession. The attacker can then use that access to intercept SMS messages, including links to password resets and one-time codes for multi-factor authentication. Some Lapsus$ members attempted to use their access to hack into T-Mobile accounts associated with the FBI and Department of Defense but failed to do so due to the additional verification measures tied to those accounts.
Hackers have frequently targeted T-Mobile in recent years. Last August, the company confirmed it had fallen victim to a hack that saw the personal data of more than 54 million of its customers compromised. That breach also involved SIM swap attacks and may have even seen the carrier secretly pay a third-party firm to limit the damage.