Telecom company T-Mobile on Friday confirmed that it was the victim of a security breach in March after the LAPSUS$ mercenary gang managed to gain access to its networks.
The acknowledgment came after investigative journalist Brian Krebs shared internal chats belonging to the core members of the group indicating that LAPSUS$ breached the company several times in March prior to the arrest of its seven members.
T-Mobile, in a statement, said that the incident occurred “several weeks ago, with the “bad actor” using stolen credentials to access internal systems. It stated that “The system accessed did not contain any customer, government or similar sensitive information and there is no evidence the intruder was capable of obtaining anything of value.”
The VPN credentials used for the initial access were obtained from illegal websites such as Russian Market in order to gain control over T-Mobile employees accounts and allow the threat actor SIM-swapping attacks.
Besides gaining access to an internal customer account management tool called Atlas, the chats show that LAPSUS$ had breached T-Mobile’s Slack and Bitbucket accounts, using the latter to download over 30,000 source code repositories.
LAPSUS$ has gained attention for their breaches of Impresa and NVIDIA as well as Samsung, Vodafone, Ubisoft Microsoft, Okta and Okta.
Earlier this month, the City of London Police disclosed that it had charged two of the seven teenagers, a 16-year-old and a 17-year-old, who were arrested last month for their alleged connections to the LAPSUS$ data extortion gang.