Microsoft could be the latest victim of prolific hacking gang Lapsus$, with the tech giant investigating claims that the group has stolen data from its Azure cloud platform. Lapsus$ has been targeting the biggest names in tech recently, with Samsung and Nvidia among the companies breached. This came days after a post by Lapsus$ aiming to recruit employees from large companies – including Microsoft – to provide it with data.
Lapsus$ posted a screenshot of alleged internal Azure source code repositories to a chat on Telegram on Sunday, indicating they had hacked Microsoft’s Azure DevOps server. A screenshot appears to show an Azure DevOps repository containing source code for Microsoft’s virtual assistant Cortana and several projects relating to its Bing search engine. The post was taken down minutes later and replaced with the message, “deleted for now, will repost later”.
A Microsoft spokesman said the company is “aware of the claims and [is] investigating” the incident.
Who are Lapsus$?
Specialising in data extortion, Lapsus$ first came to prominence through hacks on the Brazilian health ministry and Portugal’s Impresa media outlets last year. It has since targeted global tech companies like Nvidia and Samsung, and last Thursday French gaming publisher Ubisoft confirmed it was investigating a cybersecurity incident, widely thought to be the work of the gang.
“As a precautionary measure, we initiated a company-wide password reset… There is no evidence any player personal information was accessed or exposed as a by-product of this incident,” a Ubisoft statement read. Lapsus$ appeared to claim credit for the breach the next day by posting a link to an article detailing the hack with a smirking face emoji to its Telegram channel.
Some threat analysts believe that the group’s success could be because it is made up of extremely experienced cybercriminals. Researchers at Searchlight Security say there is speculation that some of its members have been active in the cybercrime community for a while, including selling zero-day exploits and running a site dedicated to leaking individuals' personal information.
The recent explosion of activity by Lapsus$ is likely to have attracted the attention of law-enforcement agencies, which could mean its moment in the spotlight will be short-lived. “As Lapsus$ has conducted its criminal activity in such a public manner - specifically via non-dark web channels such as Telegram - it is likely the rapid pace of its attacks will be stalled at some point, due to either law enforcement or private sector counter-measures," says a threat analyst who has been tracking the group's progress closely, and spoke to Tech Monitor on condition of anonymity.
Is the Lapsus$ Microsoft breach genuine?
Security experts are divided as to whether the Microsoft attack is genuine. “Lapsus$ has pulled off these types of confirmed attacks against NVIDIA, Samsung, Vodafone, Ubisoft, and Mercado Libre. So, the attack on Microsoft is likely to be genuine," argues Chris Hauk, consumer privacy champion at security firm Pixel Privacy.
However, Toby Lewis, global head of threat analysis at security company Darktrace, is more circumspect. “Beyond the – albeit alarming – screenshot of an internal developer dashboard, there has not been any further evidence of a hack," he says. "Lapsus$ has breached major organisations in the past, so it is not out of the question that this was indeed a successful hack, but the screenshot provides us with very little information.”
Did Lapsus$ get inside help to breach Microsoft?
The alleged Microsoft hack comes days after Lapsus$ posted a recruitment ad looking for employees at global companies, including Microsoft. The Telegram post reads: “We recruit employees/insider at the following: any company providing telecommunications, large software/gaming corporations (Microsoft, Apple, EA, IBM and other similar). Call centre/BPM, server hosts.” At the bottom, there is a note in bold and in capitals that says, “We are not looking for data, we are looking for the employee to provide us a VPN or Citrix to the network.” The threat analyst who has been tracking Lapsus$ says: "While there is no evidence to suggest this pitch has yet been successful, [employee involvement] is entirely possible, given the direct reference to Microsoft in the group’s recruitment pitch.”