The hacking group Lapsus$, known for claiming to have hacked Nvidia, Samsung and more this week claimed it even hacked Microsoft† The group placed a file it believes contains partial source code for Bing and Cortana in an archive containing nearly 37 GB of data.
On Tuesday evening, after investigating, Microsoft confirmed the group that compromised DEV-0537 calls “a single account” and has stolen portions of the source code for some of its products. A blog post on the security site says Microsoft researchers have been following the Lapsus$ group for weeks, describing some of the methods they’ve used to compromise victims’ systems. According to the Microsoft Threat Intelligence Center (MSTIC), “The goal of DEV-0537 actors is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and Objectives point out that this is a cyber criminal motivated by theft and destruction.”
Microsoft argues that the leaked code is not serious enough to pose an increased risk, and that the response teams took out the hackers halfway through the operation.
Lapsus$ has been in tears lately, if we are to believe the claims. The group says it has had access to data from Okta, Samsung and Ubisoft, as well as Nvidia and now Microsoft. While companies like Samsung and Nvidia have admitted that their data has been stolen, Okta has challenged the group’s claims that it has access to its authentication service, claiming that “the Okta service has not been breached and remains fully operational.”
This week, the actor made public claims that they had accessed Microsoft and exfiltrated portions of its source code. The observed activities do not involve customer code or data. Our investigation revealed that one account was hacked, allowing restricted access. Our cybersecurity response teams acted quickly to recover the compromised account and prevent further activity.
Microsoft does not rely on code secrecy as a security measure, and viewing source code does not increase the risk. The tactics that DEV-0537 uses in this intrusion mirror the tactics and techniques discussed in this blog. Our team was already investigating the hacked account based on threat intelligence when the actor made their break-in public. This public disclosure escalated our action allowing our team to step in and interrupt the actor midway through surgery, limiting its wider impact.
This isn’t the first time Microsoft has claimed it assumes attackers can access the source code — it said the same thing after the Solarwinds attack. Lapsus$ also claims it only got about 45 percent of the code for Bing and Cortana, and about 90 percent of the code for Bing Maps. The latter feels like a less valuable target than the other two, even if Microsoft was concerned that the source code would expose vulnerabilities.
In its blog post, Microsoft outlines a number of steps other organizations can take to improve their security, including requiring multifactor authentication, not using “weak” multifactor authentication methods such as text messages or secondary email, and notifying team members. about the potential for social engineering attacks , and creating processes for possible responses to Lapsus$ attacks. Microsoft also says it will continue to monitor Lapsus$ and monitor any attacks against Microsoft customers.