Telecom major T-Mobile recently became another high-profile victim of cyber extortionist gang Lapsus$, known for breaching the likes of Samsung, Okta, Ubisoft, and Globant in recent months. The hacker group reportedly breached T-Mobile in March 2022, shortly before seven of its alleged members were arrested in the U.K.
T-Mobile recently confirmed that Lapsus$ targeted it but said the cyber extortion group wasn’t able to exfiltrate any valuable data. The company confirmed the breach after cybersecurity researcher Krebs on Security revealedOpens a new window that Lapsus$ members had socially engineered their way into T-Mobile systems and even gained access to Atlas, the company’s tool for managing customer accounts internally.
Krebs discovered that the hacker group stole approximately 30,000 T-Mobile source code repositories. “Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software,†T-Mobile told the security researcher.
“The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value.†However, the cyber extortionists did try to access T-Mobile accounts associated with the FBI and Department of Defense but were unsuccessful, given they required additional verification.
By leveraging Atlas, Lapsus$ members could freely carry out SIM swapping attacks, i.e., changing a target mobile number’s designated device to one that the hackers can access. Screenshots obtained by Krebs from Lapsus$’s private Telegram group indicated that other Lapsus$ members were requesting a member with the name ‘Lapsus Jobs’ not to shut down access to Atlas.
However, ‘Lapsus Jobs’ terminated the access unilaterally. Krebs’ assessment revealed that Lapsus Jobs is “White,†the same 16 year old hacker who was arrested in the U.K. in March. White, who used the pseudonyms Doxbin, Breachbase, and Oklaqq, was arrested along with six other alleged members of Lapsus$ and is widely believed to be ousted by his associates.
Reportedly, they had a falling out. The hackers revealed White’s name, address, social media pictures, and his cybercriminal activities on an underground site, but not before White himself doxxed another member ‘Amtrak’ and tried to dox ‘Mox.’
White also leaked the dataset of Doxbin, a text-based site where cybercriminals or anyone can ‘dox,’ i.e., publicly reveal private or identifying information of any other person, on Telegram. Moreover, White’s behavior towards others was reportedly terrible.
Revoking access to Atlas, doxing other members, and leaking the Doxbin database were key factors why Lapsus$ members ganged up against him.
White’s previous misdeeds include founding the Recursion Team- a group focused on carrying out SIM swapping attacks. With Lapsus$, however, the teenage hacker was overly focused on stealing sensitive source code of various tech vendors.
Arti Raman, CEO & founder of Titaniam, told Toolbox, “T-Mobile’s confirmation that the Lapsus$ extortion gang breached its network shows how much more damaging and complex cyberattacks have become as extortion attempts rise in popularity.
“This highlights the importance of technologies like encryption-in-use (also known as data-in-use encryption) which specifically protect against data extortion. By retaining encryption even while data is in active use, attackers are unable to utilize stolen data to extort their victims.â€
See More: Lapsus$’s Claimed Cyber Attack on Okta Turns Out To Be a Damp Squib
The good news for T-Mobile is that Lapsus$ no longer has the source code stolen from the telecom company because the cloud server where Lapsus$ stored it was seized by the FBI. They did try to re-download the stolen source code but failed because T-Mobile had revoked the compromised access token they were using.
However, others weren’t as lucky as T-Mobile. Lapsus$ has compromised, breached, and stole data from several U.S-based technology companies, including Okta, Microsoft (37 GB), NVIDIA (19 GB); Samsung (190 GB), French gaming company Ubisoft, Luxembourg’s tech services major Globant (70 GB); the government of Brazil (50 TB), and Portuguese media company Impresa.
Notably, the data stolen and deleted from the Brazilian Ministry of health information was about the government’s COVID-19 response in the country. White was also associated with the threat actors that stole 780 GB of data from Electronic Arts last year.
In most cases, Lapsus$ relied on stolen credentials or a great deal of social engineering. Gal HelemskiOpens a new window , CTO and co-founder at PlainID, told Toolbox, “When it comes to internal breaches where networks are compromised, identity is still the number one challenge. Organizations must adopt a ‘Zero Trust’ approach, which means trusting no one – not even known users or devices – until they have been verified and validated.
She adds, “Access Policies and Dynamic Authorizations are a crucial part of the zero-trust architecture, they help to verify who is requesting access, the context of the request, and the risk of the access environment.â€
“With the pandemic driving more and more people to conduct business online, it’s critical that organizations put Access Policies at the top of their priority list,†Helemski added. “If we assume hackers are already in the network, it makes sense to focus budgets on restricting movement inside the network.â€
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!