The Lapsus$ hacking group stole T-Mobile’s source code in a series of breaches that took place in March, as first reported by Krebs on Security. T-Mobile confirmed the attack, and says the “systems accessed contained no customer or government information or other similarly sensitive information.”
In copies of private messages obtained by Krebs, the Lapsus$ hacking group discussed targeting T-Mobile in the week prior to the arrest of seven of its teenage members. After purchasing employees’ credentials online, the members could use the company’s internal tools like Atlas, T-Mobile’s customer management system to perform SIM swaps. This type of attack involves hijacking a target’s mobile phone by transferring its number to a device owned by the attacker. From there, the attacker can obtain texts or calls received by that person’s phone number, including any messages sent for multi-factor authentication.
According to screenshotted messages posted by Krebs, Lapsus$ hackers also attempted to crack into the FBI and Department of Defense’s T-Mobile accounts. They were ultimately unable to do so, as additional verification measures were required.
“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software,” T-Mobile said. “Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”
T-Mobile has been the victim of several attacks over the years. Although this particular hack didn’t affect customers’ data, past incidents did. In August 2021, a breach exposed the personal information belonging to over 47 million customers, while another attack occurring just months later compromised “a small number” of customer accounts.
Lapsus$ has made a name for itself as a hacking group that primarily targets the source code of large technology companies, like Microsoft, Samsung, and Nvidia. The group, which is reportedly led by a teenage mastermind, has also targeted Ubisoft, Apple Health partner Globant, and authentication company Okta.