Breach Notification , Cybercrime , Cybercrime as-a-service

T-Mobile Breached Again; Lapsus$ Behind the Attack

Company Says No Sensitive Customer or Government Information Leaked
T-Mobile Breached Again; Lapsus$ Behind the Attack
Chat showed Lapsus$ breached T-Mobile several times. (Source: ISMG File photo)

The U.S. telecom carrier T-Mobile has confirmed that the Lapsus$ ransomware group has breached its internal network by compromising employee accounts, according to multiple media reports. But, it says, hackers did not steal any sensitive customer or government information during the incident.

See Also: Safeguarding against GenAI Cyberthreats with Zero Trust

Information security blogger Brian Krebs recently reviewed a copy of the private chat messages between members of the Lapsus$ cybercrime group before the arrest of its most active members last month.

He reported that the chat messages show Lapsus$ breached T-Mobile several times and stole source code for a range of company projects.

A spokesperson for T-Mobile told Krebs that its "monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software" but no sensitive customer or government information was stolen.

The Washington-based telecommunications giant fell victim to another data breach early this year that was linked to a SIM swapping attack that it said affected "a very small number" of its 105 million customers (see: T-Mobile: Some Customers Affected by SIM Swap Data Breach).

In direct response to Information Security Media Group's queries about this latest incident, T-Mobile says: "Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software. The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete."

Lapsus$ has operated openly on its Telegram chat channel since December 2021. Currently, the channel has close to 60,000 followers. The notorious group used its channel to leak huge volumes of sensitive data stolen from victims.

In March, police in London said that they'd arrested seven people that the BBC reported are tied to the Lapsus$ hacking group, which has claimed responsibility for data breaches involving Okta, Microsoft, Nvidia, Ubisoft and others.

Two teenagers arrested and charged by the City of London Police in connection with its investigation into the Lapsus$ hacking group have been released on bail for an undisclosed sum and are due back in court on Friday. The City of London Police, which handles fraud reporting and cybercrime for the U.K., is investigating the Lapsus$ hacking group (see: Lapsus$ Teens Out on Bail, Due Back in Court April 29).

Account Takeover Attack

Krebs says he reviewed a week's worth of private conversations between Lapsus$ members which shows that the gang members obtained initial access to targeted organizations by purchasing it from Russian criminal markets that sell access to remotely compromised systems, as well as credentials stored in these systems.

Gunnar Peterson, the chief information security officer at fraud detection services provider Forter, says that the recent attacks and extortion attempts on large enterprises are clear examples of the damage that can be done when compromised credentials are used to carry out account takeover, or ATO, attacks.

"The Lapsus$ ransomware group is conducting all of their ATO activity using stolen usernames and passwords that were obtained using unconventional and sophisticated means," Peterson says.

Apart from buying access to compromised systems and using stolen credentials, the gang was involved in social engineering of the targeted organization's employees to trick them into adding one of the gang's infected machines to the allowed devices that authenticated the company's virtual private network, Krebs says.

Lapsus$ also mastered a range of tricks allowing the group to access credentials, gain initial access into a network and move laterally, according to research from Microsoft.

Lapsus$, which Microsoft refers to as DEV-0537, is known for "living off the land," which refers to using native operating system tools to probe systems, the company's security researchers report in a blog post. To gain initial access, Microsoft says the group’s tactics include using the RedLine password stealer, buying stolen or brute-forced credentials in underground markets, paying employees of targeted organizations to share credentials or MFA codes, searching public data breach dumps for exposed credentials, and gathering enough data about an employee in a targeted organization to phone the help desk and ask it "to reset a target's credentials" to those of its choosing.

Repeated Attacks

In August 2021 T-Mobile was the victim of a widely publicized data breach in which more than 50 million customers' data was stolen, and attackers attempted to extort $2 million from CEO Mike Sievert (see: T-Mobile CEO Apologizes for Mega-Breach, Offers Update).

This is at least the sixth time T-Mobile has been a target of an attack in the past three years (see: T-Mobile Probes Attack, Confirms Systems Were Breached).

More than 100 million T-Mobile data records were found for sale online after the August 2021 breach - with sensitive records including Social Security numbers, driver's license numbers, names, addresses, birthdates, and security PINs.

The massive data breach allegedly was carried out by John Binns, a 21-year-old American who discovered an insecure router belonging to T-Mobile. After detecting the router, Binns was able to find a point of entry into a Wisconsin data center, where he began exfiltrating data. Binns told The Wall Street Journal at the time that T-Mobile's security practices were "awful" and bragged about the attack, which he claimed he did more for recognition than monetary gain.

In December 2020, T-Mobile notified customers that its cybersecurity team had detected "malicious, unauthorized access" to around 200,000 customers' accounts (see: T-Mobile Alerts Customers to New Breach).

Data from more than 1 million customers was leaked after a malicious hacker gained unauthorized access to prepaid wireless accounts in November 2019. In this instance, T-Mobile advised customers to reset their PINs (see: T-Mobile Says Prepaid Accounts Breached).

The first in this series of breaches affecting T-Mobile customers took place in August 2018, when a threat actor stole customer names, ZIP codes and other information on prepaid and postpaid accounts. Some 2.3 million customers were victimized (see: T-Mobile Database Breach Exposes 2 Million Customers' Data).

Lapsus$ Revamp

First appearing in 2021, Lapsus$ swiftly generated attention by publicly dumping stolen data, extorting companies and openly offering to pay for information that helped the group breach more businesses.

The group is believed to have a connection to Brazil since some of its public posts are in Portuguese and some of its hacking targets are Brazilian.

The group's activity intensified earlier this month with a series of releases of sensitive data. The group usually posts its data breach dumps to a Telegram channel, where members regularly mock and threaten their victims.

On March 5, Lapsus$ released source code belonging to Samsung. It then dumped data belonging to South Korean electronics maker LG.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.