This Nvidia hacking group went after T-Mobile, but the FBI stole their data before they could use it

The hacking group known as Lapsus$ has been linked to cyberattacks in Microsoft, Nvidia and Samsung, among others, before core members of the group were arrested. Since then, new text messages purporting to be from members of the hacking groups suggest that telecommunications company T-Mobile was also targeted and the source code successfully stolen by the group. However, also that the FBI got involved and blocked the group from their own leased servers before they could do anything with the data.

security blog KrebsOnSecuritywritten by journalist Brian Krebs, claims to have received logs of Telegram discussions among Lapsus$ core members, in which the T-Mobile hack and subsequent bust are mentioned.

“FFS, THAT AWS HAD TMO SRC [T-Mobile source code] code!” a member of the group, known as White, is said to have mentioned after the apprehension.

White was arrested shortly thereafter by the City of London Police, and is reported to be a 16 years old from Oxford, UK. Other UK citizens, aged between 15 and 21, were also arrested and alleged to be linked to the group.

Lapsus$ is said to have preferred to upload stolen data to the cloud and leased servers to lessen the risk of police raids on members’ homes to find any stolen information. However, that plan didn’t work very well as the remote content was taken down by the FBI.

The hacking group allegedly once again attempted to breach T-Mobile’s systems and download the stolen data, however, they found they were unable to regain access using the access tokens. These tokens were purchased online from the online equivalent of a man in an alley opening a large coat, but the system can automatically revoke access to them when large repositories have been downloaded too many times in a short period of time.

“Cloning 30,000 repos four times in 24 hours is not very normal,” White said.

T-Mobile confirmed that the incident took place, but says that nothing of value was stolen by the hackers in this case.

“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operating tools software,” says T-Mobile. “The systems accessed did not contain customer or government information or other similar sensitive information, and we have no evidence that the attacker was able to obtain anything of value. Our systems and processes functioned as designed, the intrusion was quickly terminated and closed.” , and the compromised credentials used have become obsolete.”

Ultimately, it appears that the downfall of imprisoned Lapsus$ members may have been accelerated by infighting and retaliatory actions by other nefarious actors. Original arrest reports, paired with Krebs at Security’s, suggest that at various times White had a falling out with a member of the group and made an attempt to expose his identity. While, similarly, White was doxxed by a group of fellow doxxers on a doxxing site he managed himself called Doxbin following his own doxxing of the site’s users.

The original owner of this website, a cybercriminal named ‘KT’, is allegedly the person who leaked the private chat logs to KrebsOnSecurity. What goes around comes around, I suppose. And in this case, it looks like the FBI and the police were the ones knocking on the door eventually.

Leave a Comment