A group of largely teenage hackers breached T-Mobile and downloaded over 30,000 source code repositories — even gaining access to Atlas, an internal T-Mobile tool for managing customer accounts — according to a new eye-popping report by independent investigative journalist Brian Krebs, who was leaked internal Telegram group messages from the LAPSUS$ group by a disgruntled former associate. T-Mobile has now admitted the breach.
“The messages reveal that each time LAPSUS$ was cut off from a T-Mobile employee’s account — either because the employee tried to log in or change their password — they would just find or buy another set of T-Mobile VPN credentials” Krebs wrote on April 22. The veteran security reporter suggested this week that the ease with which LAPSUS$ could buy access from dark web sites meant businesses should scrape them regularly.
“Anyone can access dark web bot shops like Russian Market and Genesis, which means larger companies probably should be paying someone to regularly scrape these criminal bot services, even buying back their own employee credentials to take those vulnerable systems off the market” he noted in his own write-up.
“Because that’s probably the simplest and cheapest incident response money can buy.”
T-Mobile, which reported $58.4 billion in full-year 2021 earnings, was also devastatingly hacked in August 2021, with the data of 40 million customers stolen in an incident that its CEO described as “humbling”.
T-Mobile CEO Mike Sievert said in August 2021 in the wake of that breach that the telco was entering “long-term partnerships with the industry-leading cybersecurity experts at Mandiant, and with consulting firm KPMG” as part of “a substantial multi-year investment to adopt best-in-class practices and transform our approach.”
See also: GitHub breached, npm data stolen
The LAPSUS$ hackers later lost all the stolen T-Mobile source code after storing it in an AWS server that was seized by the FBI — and failing to back-up the data (“RIP FBI seized my server” one member writes on Telegram in messages shared with Krebs in his report this weekend: “So much illegal shit. It’s filled with illegal shit.”)
Attempts to re-download it from T-Mobile failed, the leaked chats showed after the access token they used was revoked. The ringleader shrugs it off: “Cloning 30k repos four times in 24 hours isn’t very normal.”
Krebs wrote: “Access to internal [T-Mobile] company tools could give them [LAPSUS$] everything they needed to conduct hassle-free “SIM swaps” — reassigning a target’s mobile phone number to a device they controlled. These unauthorized sim swaps allow an attacker to intercept a target’s text messages and phone calls, including any links sent via SMS for password resets, or one-time codes sent for multi-factor authentication.”
T-Mobile played down the consequences of the breach, telling Krebs: “Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software. The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value.
The company which has over 75,000 employees, said: “Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”
The attackers appear t