LAPSUS$ Hackers Stole T-Mobile Source Code But The FBI Schooled Them And Stole It Back
LAPSUS$ was a hacking group that recently stole source code from a number of big name targets, including NVIDIA, Samsung, and Microsoft. Shortly after this string of high profile data thefts, British police arrested seven individuals over involvement with the hacking group. The suspects all fell between the ages of 16 and 21 years old. The leader, who is known as “White,” turned out to be only 16 years old and living with his mother.
LAPSUS$ leveraged access to T-Mobile’s systems to perform SIM swap attacks, reassigning customers’ phone numbers to devices controlled by the hackers. Such attacks give bad actors access to victims’ text messages, which are still a common avenue for multi-factor authentication codes. The hackers eventually searched for T-Mobile phone numbers associated with the FBI and Department of Defense, but accessing these numbers required elevated permissions not available to LAPSUS$.
This approach came back to bite LAPSUS$ when the FBI seized the Amazon Web Services (AWS) server that the group was using to store the stolen T-Mobile code. White initially dismissed the seizure until another member informed him that they had never made a backup of the server, prompting a distraught response from the group’s leader. The hackers frantically tried to re-download the source code, but found that their access token was no longer valid. White guessed that Gitlab auto-revoked the token, noting that “Cloning 30k repos four times in 24 hours isn’t very normal.”
As far as we know, LAPSUS$ never leaked any T-Mobile source code, thanks to the FBI. Nonetheless, the fact that the amateur hackers were able to repeatedly gain access to internal T-Mobile systems is still concerning.
T-Mobile issued the following statement in response questions by Krebs: “Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software. The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”