US mobile network emerges as latest Lapsus$ victim

The Lapsus$ cyber crime gang compromised the systems of US mobile network T-Mobile and supposedly tried to steal source code relating to various products in the days immediately prior to the arrests of various members, it has emerged.

The gang’s private Telegram chat logs, which were leaked to Brian Krebs of KrebsOnSecurity, show how Lapsus$ bought compromised T-Mobile employee credentials on underground sites such as Russian Market, which they used to perform SIM-swapping attacks.

A SIM-swap is a type of cyber attack in which a mobile operator is convinced to switch the phone number of a targeted device to a new device, giving the new owners access to information stored on the original owner’s device, such as banking or credit card details, and enabling them to take over other accounts by resetting credentials. Such attacks are quite often deployed to steal cryptocurrency.

Krebs, an independent investigative journalist, reported that the gang used its leverage to access T-Mobile’s customer management tool, Atlas, and from there attempted to access accounts associated with US government bodies and agencies, including the FBI. This prompted arguments between members worried they had gone too far, which seems to have resulted in the group’s ringleader, who went by the handle White, pivoting to steal source code instead.

The leaked chat logs also reveal insight into the mindset of the teenagers who made up the gang, with one, going by the handle mox, expressing displeasure that his school was abuzz with talk about Lapsus$ but that he could not tell anybody he was involved.

Another gang member using the handle Amtrak was seen asking White to obscure T-Mobile’s information because his parents knew that he had engaged in SIM-swapping in the past, and didn’t want to get in trouble.

Further evidence contained in the gang’s chat logs indicates that Amtrak was bullied and later doxed by White. The gang seems to have been riven with infighting, which may ultimately have contributed to its downfall.

White is thought to be one of two teenagers charged over the Lapsus$ hacking spree by City of London Police, although this has not been and cannot be formally confirmed due to their age.

In a statement circulated to the media, a spokesperson for T-Mobile’s US operation said: “Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software.

“The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”

The attack on T-Mobile is not thought to have had any impact on the organisation’s former UK operation, which was folded into the EE mobile network over a decade ago, and now has no meaningful relationship with its former parent, Deutsche Telekom, which does however hold a stake in EE’s current owners, BT.

Lapsus$ shot to prominence in early 2022, thanks to a series of high-profile attacks on tech companies including Nvidia, Samsung, Ubisoft, Okta and Microsoft. The gang was mistakenly thought to be a ransomware gang at first, but it does not appear to have ever deployed ransomware at any of its targets, preferring instead to simply exfiltrate and leak data while demanding a pay-off, as opposed to encrypting it.