The messages show that Lapsus$ had access to T-Mobile’s network by compromising employee accounts, either by buying leaked credentials or through social engineering. This gave Lapsus$ access to T-Mobile’s internal tools, including Atlas, used for managing customer accounts, which the hackers used in an attempt to find T-Mobile accounts associated with the FBI and Department of Defense, but were blocked as the access needed additional checks.
Through this employee account access, the hackers were in a position to carry out SIM-swap attacks, where hackers reassign a target’s cell phone number to a device under their control, which then allows for the interception of phone calls and text messages that can be used to further break into a victim’s accounts and also obtain two-factor authentication codes.
T-Mobile did not respond to multiple requests for comment, but told news outlets that “no customer or government information” was accessed during the incident.
“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software,” the company’s statement said. “Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”