U.S. telecom T-Mobile has confirmed that it is the latest victim of the Lapsus$ ransomware group.


Security journalist Brian Krebs first revealed the latest breach after obtaining private chat messages between Lapsus$ members, who have breached Nvidia, Ubisoft and Okta. The messages reveal that the group had access to T-Mobile’s network by compromising employee accounts that were previously leaked or through social engineering. Compromising employee accounts allowed Lapsus$ access to several of T-Mobile’s tools.

While the tactics, techniques, and procedures (TTPs) used by Lapsus$ are not novel, the incident does highlight a common weakness in cybersecurity — the people/user, explains Ivan Righi, Senior Cyber Threat Intelligence Analyst at Digital Shadows. "Even the most secure technical controls may be bypassed by threat actors who are highly skilled in social engineering, and users who use the same credentials across multiple accounts may be putting their organizations at risk. The Lapsus$ Group also highlights the dangers of using SMS messages or phone calls for multi-factor authentication, as phone-based social engineering attacks were a common attack vector for the group."


In addition, Krebs reported the ransomware group breached T-Mobile several times in March and stole source code related to company projects, just as the group did with Samsung, Microsoft and Globant.


In response to the story, T-Mobile issued the following statement:

“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software. The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”


While T-Mobile claims sensitive data was not stolen, it is the sixth breach the company has experienced since 2018.


“Data is no longer a commodity; it’s a currency — as this incident represents. Information within an organization’s network is valuable to attackers and can be leaked to encourage future attacks on a company. While the adversaries did not successfully extract any sensitive data in this instance, this breach should remind us that with a majority of the world’s data residing in the cloud, it is imperative that security becomes data-centric and solutions become cloud-native,” explains Oran Avraham, Chief Technology Officer at Laminar.


Solutions need to be completely integrated with the cloud in order to identify potential risks and have a deeper understanding of where the data reside, Avraham says. “Using the dual approach of visibility and protection, data protection teams can know for certain which data stores are valuable targets and ensure proper controls, which allows for quicker discovery of any data leakage.” 


To succeed against dynamic cybercriminals, organizations must invest time and resources into building a learning system that evolves to keep up with attacker tactics, says Gunnar Peterson, Chief Information Security Officer (CISO) at Forter. “Identity graph technologies can help savvy organizations recognize attacker tactics across the whole identity lifecycle, including provisioning and account maintenance. These techniques can ebb and flow with the sophisticated threat landscape we’re witnessing today.”