The report comes from Krebs on Security (via Phone Arena), who acquired private chats between key Lapsus$ members. These chats detail the group’s action plan. A bulk of Lapsus$ members are either under investigation or are in prison for prior offenses. But it’s clear there are still a few out there lurking in the shadows. The leader of Lapsus$ goes by several nicknames, including “Lapsus Jobs,” “White,” “WhiteDoxbin,” and “Oklaqq.” In the past, Lapsus$ bought credentials from sources like Russian Market. However, such sites cannot offer complete access to a particular company’s internal tools. The group tried to remedy this by directly targeting T-Mobile employees, eventually breaching the company’s system on multiple occasions.
Lapsus$ couldn’t get into the U.S. DOD or the FBI thanks to additional verification measures
On March 19, the group accessed Atlas, the carrier’s internal customer accounts management software. The report claims that Lapsus$ even scoured through T-Mobile accounts linked with the Department of Defense and the Federal Bureau of Investigation (FBI). Fortunately, the hacker group couldn’t go any further as those accounts had verification safeguards to avoid unauthorized changes. Lapsus$ then ended the VPN connection, later accessing T-Mobile’s Bitbucket and Slack accounts. Furthermore, the group leader reportedly downloaded more than 30,000 code repositories from the carrier. This triggered T-Mobile’s security systems as the hacker group’s access was immediately revoked. “Cloning 30k repos four times in 24 hours isn’t very normal,” the leader of Lapsus$ later said. T-Mobile acknowledged these attacks but maintained that hackers could not steal government or customer information. “Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software. The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete,” the carrier told Krebs on Security. This is not T-Mobile’s first cyberattack, as most customers already know. With hacker groups finding new ways to breach corporations’ defenses, it behooves one of America’s top mobile carriers to ensure there are no loopholes.