The hacking group Lapsus$, known for claiming to have hacked Nvidia, Samsung, and more, this week claimed it has even hacked Microsoft. The group posted a file that it claimed contains partial source code for Bing and Cortana in an archive holding nearly 37GB of data.
On Tuesday evening, after investigating, Microsoft confirmed the group that it calls DEV-0537 compromised “a single account” and stole parts of source code for some of its products. A blog post on its security site says Microsoft investigators have been tracking the Lapsus$ group for weeks, and details some of the methods they’ve used to compromise victims’ systems. According to the Microsoft Threat Intelligence Center (MSTIC), “the objective of DEV-0537 actors is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.”
“Microsoft does not rely on the secrecy of code as a security measure”
Microsoft maintains that the leaked code is not severe enough to cause an elevation of risk, and that its response teams shut down the hackers mid-operation.
Lapsus$ has been on a tear recently if its claims are to be believed. The group says it’s had access to data from Okta, Samsung, and Ubisoft, as well as Nvidia and now Microsoft. While companies like Samsung and Nvidia have admitted their data was stolen, Okta pushed back against the group’s claims that it has access to its authentication service, claiming that “The Okta service has not been breached and remains fully operational.”
This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.
Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.
This isn’t the first time Microsoft’s claimed it assumes attackers will access its source code — it said the same thing after the Solarwinds attack. Lapsus$ also claims that it only got around 45 percent of the code for Bing and Cortana, and around 90 percent of the code for Bing Maps. The latter feels like a less valuable target than the other two, even if Microsoft was worried about its source code revealing vulnerabilities.
In its blog post, Microsoft outlines a number of steps other organizations can take to improve their security, including requiring multifactor authentication, not using “weak” multifactor authentication methods like text messages or secondary email, educating team members about the potential for social engineering attacks, and creating processes for potential responses to Lapsus$ attacks. Microsoft also says that it’ll keep tracking Lapsus$, keeping an eye on any attacks it carries out on Microsoft customers.