Exclusive: First Post by Hacker Offering Stolen T-Mobile Data Revealed

Posted on September 2, 2021 by yafit

read the article

The US-based telecommunications company T-Mobile has once again been hit by a cyber attack, leading to a leak of data affecting more than 50 million current, former, and potential customers. The leaked database included customer names, ID numbers, SSNs, full addresses, phone numbers, dates of birth, driver’s licenses, IMEIs, and account PINs.

Our exclusive investigation has uncovered the very first post by the hacker behind the attack, a post which the media has so far missed. 

What has been reported so far?

Initial media reports of this data breach surfaced on August 15, followed by a confirmation of T-Mobile of the breach two days later. Both the media and T-Mobile cited a post, dated August 14, by a threat actor named SubVirt who offered 30 million SSNs and driver’s licenses up for sale for 6 bitcoin: 

An image taken from our Cyber API of the post widely discussed by the press and T-Mobile

Our Investigation

In our exclusive investigation, we discovered that the first post SubVirt published was on August 11, three days before the post T-Mobile acknowledged, in RAIDforums, one of the most popular database and marketplaces forums.

In the post (see below), SubVirt asks for 6 bitcoin for 124M records of personal SSNs, dates of birth and driver licenses. Because some information is duplicated, the estimation is that the leak exposed data relating to more than 50 million people. Like many experienced hackers do to prove the reliability of the breached data they offer for sale, SubVirt showed samples of the leaked records and even requested proof of funds from the buyers before providing additional information.

The first message posted by SubVirt offering 124M records of personal SSNs, dates of birth and driver licenses, image taken from our Cyber API

We were able to easily link the post to T-Mobile’s breach because SubVirt mentioned that the data was stolen from T-Mobile’s servers in the comments under the same thread. 

Who is the threat actor behind the next cyber attack?

Following SubVirt’s activity in our API, we found that in January 2021, this actor offered “Turkcaller/Nuumara’s database” for sale, which includes Turkish call logs, location data and contacts. SubVirt was also interested in buying a breached database of Turkish citizens from another seller. All of these factors could suggest a link between the identity of the hacker behind the T-Mobile hack and Turkey.

A few days after publishing the leaked T-Mobile data, the alleged hacker behind the cyber attack revealed his identity in an interview with The Wall Street Journal. His name is John Binns, a 21-year-old American with Turkish ancestry who moved to Turkey a few years ago. In the interview, he claimed that he attacked T-Mobile because he was tortured and harassed by the US authorities in relation to cyber crimes of which they accused him.  

Prior to his interview, Binns sent a message to Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, which was shared on Twitter. In it, he wrote: “The breach was done to retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019. We did it to harm US infrastructure”. This link to John’s identity in Turkey connects us to SubVirt from RAIDforums.

How can early detection of potential cyber-threats help you detect the next attack?

Using dark web monitoring can help you identify any post that mentions an organization or relevant entity, such as leak databases like in T-Mobile’s case , trade or discussion of tools, exploits that can be used to penetrate an organization through a third party, failures in the organization’s  security and other risks organizations are facing ahead of the next attack. 

As more and more companies of all sizes are hit by data breaches, we see an increase in the use of brand protection and supply chain analysis to identify in real time the threat. Monitoring dark web data is critical for organizations, who look to minimize the impact of a security breach by identifying these types of leaks earlier.

If we use the case of T-Mobile as an example, it has been widely reported that the company had been attacked multiple times in the past. Even though previous attacks did not have the same impact as the latest attack, a short search in our API shows how many T-Mobile databases were published in the past, which indicates that there are several vulnerabilities in T-Mobile’s cyber security. Some of them, like the one below, can be downloaded for free:

An old post offering some T-Mobile database for free

How can dark web monitoring help an organization? The answer is – in many ways. It gives an organization the opportunity to prepare its media crisis communication planning from day zero. It can help organizations to educate employees and customers about the importance of changing their passwords in time before data can be leaked. In other cases, such as leaked credentials cases, early detection could help taking actions to reduce the abuse of existing leaked information, like disabling credit cards after leak of details, and help brands avoid financial damages, such as customer refunds.

Want to learn more about how you can detect and mitigate cyber threats with dark web data? Contact our experts today!