Microsoft Investigates After Lapsus$ Hack Claim

Microsoft could be the latest victim to have suffered a highly damaging hack from Brazilian-based hacking group Lapsus$.

Motherboard reported that the extortion-focused hackers over the weekend had posted a screenshot that appeared to show access to internal Microsoft systems.

However there were no public demands from the group, and Microsoft said it is investigating the reports.

Microsoft hack?

According to Motherboard, Lapsus$ on Sunday morning posted a screenshot of what appeared to be an internal Microsoft developer account to its Telegram channel.

The screenshot appeared to be from an Azure DevOps account, a product that Microsoft offers that allows developers to collaborate on projects.

Specific projects shown in the screenshot include “Bing_UX,” potentially referring to the user experience of Microsoft’s Bing search engine; “Bing-Source,” indicating access to the source code of the search engine; and “Cortana,” Microsoft’s smart assistant.

Motherboard reported that other sections include “mscomdev,” “microsoft,” and “msblox,” indicating whoever took the screenshot may have access to other code repositories as well.

Shortly after posting the screenshot, an administrator of Lapsus$’s Telegram channel deleted the image.

“Deleted for now will repost later,” they reportedly wrote.

On Sunday, a Microsoft spokesperson told Motherboard in an email that “We are aware of the claims and are investigating.”

37GB of Data

But worse was to follow on Monday night however, when BleepingComputer reported that Lapsus$ had posted a torrent for a 9GB 7zip archive containing the source code of over 250 projects that they allege belongs to Microsoft.

When posting the torrent, Lapsus$ said it contained 90 percent of the source code for Bing and approximately 45 percent of the code for Bing Maps and Cortana.

Even though they say only some of the source code was leaked, BleepingComputer was told that the uncompressed archive contains approximately 37GB of source code allegedly belonging to Microsoft.

This could be extremely damaging if true.

Extortion motivation

The Brazilian-based extortionist group has been making a name for itself of late.

It’s use of Telegram to promote its presence is noteworthy, including its apparent tactical decision to not opt for the traditional ransomware approach, where the gang encrypts a victim’s data before demanding a ransom.

Instead of encrypting the data, the group just threatens to leak information it has already stolen unless the victim sends it money.

And the Lapsus$ group has sought to gain the services of disgruntled tech staff.

Motherboard reported that the gang on its Telegram channel earlier this month said it was seeking staff inside companies who would be willing to work with them. This included staff at Microsoft.

“We recruit employees/insider at the following!!!!,” the group wrote on 10 March, followed by a list of sectors such as telecommunications firms, large software or gaming companies, or data hosts.

In the message, Motherboard said the group explicitly pointed to Apple, IBM, and Microsoft as companies they would be interested in.

“TO NOTE: WE ARE NOT LOOKING FOR DATA, WE ARE LOOKING FOR THE EMPLOYEE TO PROVIDE US A VPN OR CITRIX TO THE NETWORK, or some anydesk,” the message added.

Notable hacks

To date Lapsus$ has achieved some notable scalps in a short period of time.

In December it breached the Ministry of Health of Brazil, as well as number of Brazilian and Portuguese companies including the Portuguese media company Impresa, and South American telecoms Claro and Embratel.

In February Lapsus$ hacked GPU powerhouse Nvidia and released a 20GB document archive of 1TB of data stolen from the GPU designer. Nvidia confirmed that a cyber attacker had leaked employee credentials and some company proprietary information online after their systems were breached.

In February, Vodafone’s Portuguese unit was hit with a cyberattack that disrupted its services. Vodafone said at the time that customers’ personal data had not been compromised.

But that attack was so serious that Vodafone Portugal’s 4G/5G mobile networks were taken down, as was SMS texts, television services, answering services, and even fixed-line voice.

This month Vodafone revealed it was working with law enforcement to investigate hacking claims made by Lapsus$.

Lapsus$ also claimed responsibility earlier this month for the data breach of South Korean electronics giant Samsung, which resulted in the theft of 190GB of data.

The group also seemingly took credit for breaching Ubisoft this month.

Significant, if true

The Microsoft hack has prompted a quick response from Jake Moore, global cyber security advisor at ESET.

“If legitimate, this latest breach could be the most significant of all the recent Lapsus$ attacks,” said Moore.

“The potential of threat actors compromising one of the biggest names in technology would represent a significant moment,” said Moore. “This group are currently very active and sophisticated and likely to be sending panic waves among other big businesses.”