Leaked Telegram chats involving members of the LAPSUS$ hacker-extortion gang reveal they stole source code from T‑Mobile US, reports Brian Krebs. Security at the mobile operator was breached several times during March, with the result that the hackers obtained code from multiple corporate projects.
LAPSUS$ gang members repeatedly sought to recruit T‑Mobile employees with the intention of gaining access to company systems so they could perform SIM swaps whenever they liked. Krebs shared screen shots of Atlas, a tool used by T‑Mobile employees to manage customer accounts. LAPSUS$ reportedly obtained access to Atlas and other T‑Mobile systems.
The childish nature of the gang members is apparent from their exchanges on Telegram. In one instance a member of the gang known as ‘White’ asked why another member called ‘Amtrak’ wants the T‑Mobile logo to be obscured as they explore a user interface together. The answer was that Amtrak is already known to be a SIM swapper by his parents and he does not want them to correctly guess what he is doing if they walk in on him!
Whilst Amtrak and other gang members wanted to take control of customer accounts in order to steal from rich people, that was not the main motivation of White, an English teenager who was recently arrested by police. White’s focus was on stealing code, perhaps to extort money or just for the thrill of showing he could do it. A dispute about objectives led White to reveal to his fellow gang members that he had downloaded 30,000 source code repositories from T‑Mobile.
A statement from T‑Mobile in response to Krebs’ revelations emphasized that no customer, government or sensitive information had been compromised. However, it appears to stretch the truth when they insist they have no evidence that LAPSUS$ obtained anything of value. The code for the company’s own systems clearly does have a value. Given the effort being made by the US government to prohibit the use of Chinese technology, it is difficult to argue there are no national security implications if hackers are able to share the code for the internal systems used by one of the biggest US telcos. It makes no sense for the FCC to insist that failing to accurately disclose foreign ownership of a minor US telco is a national security issue if the US industry cannot prevent foreign bad actors from getting intimate knowledge of the vulnerabilities of systems operated by much larger telcos.
T‑Mobile were ultimately saved from a more damaging outcome by the laziness of LAPSUS$ gang members. Following another breach, the FBI took control of the Amazon Web Services server that Amtrak had “filled with illegal shit”. He never made a backup of the server, leading White to become irate with Amtrak as the server had been used to store the stolen T‑Mobile source code. White and Amtrak then immediately attempted to download the source code again, but were unable to do so because T‑Mobile revoked their access. As White explained: “Cloning 30k repos four times in 24 hours isn’t very normal”.