Telecommunications company T-Mobile confirmed that the Lapsus$ extortion group had accessed the company’s internal systems and breached its source code a few weeks ago. In a statement on April 22, the company also emphasized that it had deactivated the credentials used in the attack.
According to T-Mobile, in the breach in March, threat actors accessed internal systems using stolen credentials but did not expose any clients or confidential information.
Regularly monitor whether your employees‘ credentials are compromised. SOCRadar helps your cybersecurity team take quick action in case of potential identity theft, thanks to its advanced data collection processes and algorithms.
T-Mobile Employees Are Consistently Targeted
In a detailed analysis by investigative journalist Brian Krebs, Lapsus$ appears to have breached T-Mobile several times. According to leaked Telegram chats, group members have repeatedly targeted T-Mobile employees who have access to tools for the company. They gained access using a “SIM swapping method,” which assigned the victim’s mobile number to another controlled device.
Threat actors gained access to managing an internal client account called Atlas. They also breached T-Mobile’s Slack and Bitbucket accounts. It is known that over 30,000 source code repositories have been downloaded through these accounts.
Breach Alleged Just Before the Arrests
At the beginning of April, seven people were arrested for involvement with the Lapsus$ extortion group in a UK police operation. The view that the attacks took place just before these arrests have become widespread.
Lapsus$ draws attention as the actor behind the significant attacks that made a splash in a short time. After giant companies such as NVIDIA, Samsung, Ubisoft, Microsoft, and Okta, T-Mobile has also been added to its victim list.
On the other hand, the fact that T-Mobile has experienced six major data breaches since 2018 raises concerns among cybersecurity experts.
With SOCRadar® Free Edition, you’ll be able to:
- Discover your unknown hacker-exposed assets
- Check if your IP addresses tagged as malicious
- Monitor your domain name on hacked websites and phishing databases
- Get notified when a critical zero-day vulnerability is disclosed
Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets. Get free access.