Data analysis has revealed that more than 100 separate incidents took place in 2022, in which three cybercriminal groups gained access to T-Mobile‘s internal networks.
“The conclusions are based on an extensive analysis of Telegram chat logs from three distinct cybercrime groups or actors that have been identified by security researchers as particularly active in and effective at “SIM-swapping,” which involves temporarily seizing control over a target’s mobile phone number,” reported cybersecurity journalist Brian Krebs.
T-Mobile, the third-largest wireless carrier in the US, with over 110 million subscribers, disclosed that a bad actor obtained data through a single Application Programming Interface (“API”) without authorization.
T-Mobile, telecom data, and attackers
According to the Krebsonsecurity report, the attackers’ aim was to phish T-Mobile employees for entry to company tools, which they would use to divert text messages and phone calls to another device. The groups are all active in 2023 and use open channels on Telegram to conduct their business.
They all advertise access to T-Mobile systems similarly and claim SIM-swapping capabilities. The groups’ claimed access to T-Mobile systems lasted for less than an hour, but in some instances, the access remained undetected for several hours or days.
The groups’ advertised prices for SIM-swap against T-Mobile customers ranged between USD $1,000 and $1,500, the journalist wrote.
According to him, the cybercriminals post daily or near-daily messages in these channels to advertise their services, and some of them also announce when their access to T-Mobile has been revoked.
T-Mobile declined to comment on these claims, but it affirmed its commitment to enhancing its security measures.
“KrebsOnSecurity shared a large amount of data gathered for this story with T-Mobile. The company declined to confirm or deny any of these claimed intrusions. But in a written statement, T-Mobile said this type of activity affects the entire wireless industry,” the journalist wrote.
T-Mobile and the latest data breach
T-Mobile has been in the cybersecurity news for over a year. In January 2023, T-Mobile revealed a data breach that impacted 37 million postpaid and prepaid accounts.
The company stated that it is investigating the incident and expects to face substantial costs related to it. T-Mobile reported that it detected the malicious activity on January 5 and contained it within 24 hours.
The company stated that no financial information was compromised. External cybersecurity experts were enlisted to investigate the matter, and the source of the malicious activity was traced and stopped.
T-Mobile acknowledged that customer information such as names, billing addresses, email addresses, and phone numbers were obtained, and the investigation is ongoing, but it appears that the malicious activity has been contained.
The breached data included customers’ names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and details about the number of lines and plan features for each account.
APIs are instructions that enable applications to access data and interact with web databases. Malicious actors can exploit these APIs to collect large amounts of information stored in those databases
T-Mobile and earlier breaches
In April 2022, the Lapsus$ hacking group breached T-Mobile’s systems and stole the company’s source code, according to a Krebsonsecurity report. The group used T-Mobile’s internal tools, such as the Atlas customer management system, to perform SIM swaps.
A SIM swap is an attack where the attacker hijacks a target’s mobile phone number by transferring it to a device owned by the attacker, allowing the attacker to intercept texts or calls, including any messages sent for multi-factor authentication.
T-Mobile confirmed the attack in a statement to The Verge, stating that the systems accessed did not contain any customer, government, or sensitive information. The Lapsus$ group had planned to target T-Mobile in the week before seven of its teenage members were arrested.
In 2021, T-Mobile agreed to pay $350 million and spend an additional $150 million to upgrade data security to settle litigation over a cyberattack that compromised information belonging to an estimated 76.6 million people.