The LAPSUS$ group made headlines this year after a string of high profile attacks on Nvidia, Microsoft and Samsung. Seven members of the group have since been arrested, but it seems that a few other attacks took place prior to this.
The latest victim to come forward is T-Mobile, which has now confirmed that a breach took place back in March.
As reported by Krebs on Security, the group began talking about targeting T-Mobile roughly a week before arrests were made. The group purchased T-Mobile employee credentials and then went on to use that to obtain source code for the network’s tools. One such tool is known as Atlas, and allows T-Mobile employees to perform SIM swaps. An attacker could use this to forward someone’s texts and calls to a different phone, paving the way for spying, identity theft and other issues.
T-Mobile confirmed the attack took place back in March, but maintains that the systems accessed “contained no customer or government information”. The group did attempt to crack into law enforcement accounts at T-Mobile, but were unable to do so due to additional verification requirements.
Since members of the group were arrested, it is unclear if the stolen code made its way into anyone else’s hands.
T-Mobile has faced a bunch of cyber attacks over the years, including a number of data breaches. A previous leak was likely responsible for $LAPSUS’ ability to obtain employee credentials.