The LAPSUS$ hacking group reportedly stole 30GB of source code from T-Mobile after repeatedly accessing the carrier's network using credentials purchased on a dark web forum in March.
KrebsOnSecurity reports that LAPSUS$ also had access to an internal T-Mobile tool called Atlas that can be used to manage customer accounts. This access could have been used to enable SIM-swapping attacks, but according to leaked chat logs, LAPSUS$ didn't use Atlas in that way.
Instead the group's leader—a UK teenager arrested in March—appears to have disconnected from T-Mobile's virtual private network (VPN) because Atlas couldn't be used to access source code for the company's technologies despite pleas from other LAPSUS$ members.
T-Mobile hasn't responded to a request for comment, but it told KrebsOnSecurity:
“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software. The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”
KrebsOnSecurity says "it seems likely that the group routinely tried to steal and then delete any source code it could find on victim systems" so "it could turn around and demand a payment to restore the deleted data." Or, as happened with Samsung and Microsoft, leak it to the public.
The report goes on to demonstrate the hacking group's lack of operational savvy (to put it politely) by recounting the repeated use of credentials purchased
Read more on pcmag.com