View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
March 21, 2022updated 21 Aug 2023 3:31pm

Is Microsoft the latest tech giant to be breached by Lapsus$?

The hacking gang appears to have struck another tech giant, days after it posted a "recruitment advert" for Microsoft insiders.

By Claudia Glover

UPDATE 23/03/22: Microsoft has confirmed that it was breached by Lapsus$ and published its analysis of the group’s tactics.

Microsoft could be the latest victim of prolific hacking gang Lapsus$, with the tech giant investigating claims that the group has stolen data from its Azure cloud platform. Lapsus$ has been targeting the biggest names in tech recently, with Samsung and Nvidia among the companies breached. This came days after a post by Lapsus$ aiming to recruit employees from large companies – including Microsoft – to provide it with data.

Is Microsoft the latest victim of hacking gang Lapsus$? (Photo by JOSEP LAGO/AFP via Getty Images)

Lapsus$ posted a screenshot of alleged internal Azure source code repositories to a chat on Telegram on Sunday, indicating they had hacked Microsoft’s Azure DevOps server. A screenshot appears to show an Azure DevOps repository containing source code for Microsoft’s virtual assistant Cortana and several projects relating to its Bing search engine. The post was taken down minutes later and replaced with the message, “deleted for now, will repost later”.

A Microsoft spokesman said the company is “aware of the claims and [is] investigating” the incident.

Who are Lapsus$?

Specialising in data extortion, Lapsus$ first came to prominence through hacks on the Brazilian health ministry and Portugal’s Impresa media outlets last year. It has since targeted global tech companies like Nvidia and Samsung, and last Thursday French gaming publisher Ubisoft confirmed it was investigating a cybersecurity incident, widely thought to be the work of the gang.

“As a precautionary measure, we initiated a company-wide password reset… There is no evidence any player personal information was accessed or exposed as a by-product of this incident,” a Ubisoft statement read. Lapsus$ appeared to claim credit for the breach the next day by posting a link to an article detailing the hack with a smirking face emoji to its Telegram channel.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Some threat analysts believe that the group’s success could be because it is made up of extremely experienced cybercriminals. Researchers at Searchlight Security say there is speculation that some of its members have been active in the cybercrime community for a while, including selling zero-day exploits and running a site dedicated to leaking individuals' personal information.

The recent explosion of activity by Lapsus$ is likely to have attracted the attention of law-enforcement agencies, which could mean its moment in the spotlight will be short-lived. “As Lapsus$ has conducted its criminal activity in such a public manner - specifically via non-dark web channels such as Telegram - it is likely the rapid pace of its attacks will be stalled at some point, due to either law enforcement or private sector counter-measures," says a threat analyst who has been tracking the group's progress closely, and spoke to Tech Monitor on condition of anonymity.

Is the Lapsus$ Microsoft breach genuine?

Security experts are divided as to whether the Microsoft attack is genuine. “Lapsus$ has pulled off these types of confirmed attacks against NVIDIA, Samsung, Vodafone, Ubisoft, and Mercado Libre. So, the attack on Microsoft is likely to be genuine," argues Chris Hauk, consumer privacy champion at security firm Pixel Privacy.

However, Toby Lewis, global head of threat analysis at security company Darktrace, is more circumspect. “Beyond the – albeit alarming – screenshot of an internal developer dashboard, there has not been any further evidence of a hack," he says. "Lapsus$ has breached major organisations in the past, so it is not out of the question that this was indeed a successful hack, but the screenshot provides us with very little information.”

Did Lapsus$ get inside help to breach Microsoft?

The alleged Microsoft hack comes days after Lapsus$ posted a recruitment ad looking for employees at global companies, including Microsoft. The Telegram post reads: “We recruit employees/insider at the following: any company providing telecommunications, large software/gaming corporations (Microsoft, Apple, EA, IBM and other similar). Call centre/BPM, server hosts.” At the bottom, there is a note in bold and in capitals that says, “We are not looking for data, we are looking for the employee to provide us a VPN or Citrix to the network.” The threat analyst who has been tracking Lapsus$ says: "While there is no evidence to suggest this pitch has yet been successful, [employee involvement] is entirely possible, given the direct reference to Microsoft in the group’s recruitment pitch.”

Read more: Microsoft is now a cybersecurity titan. That could be a problem

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.