Microsoft confirms breach, attributes attack to Lapsus$

Microsoft was breached by emerging threat group Lapsus$, the tech giant confirmed in a blog post Tuesday evening.

Reports of a Microsoft breach began Monday when Lapsus$ posted screenshots of supposed internal software repositories at Microsoft. When SearchSecurity contacted Microsoft for a statement Monday, the vendor said it was aware of Lapsus$'s claims and was investigating.

Microsoft's Tuesday evening blog post acts as a general overview of Lapsus$ -- tracked by the vendor as DEV-0537 -- but includes confirmation of a breach toward the bottom of the page. The post claimed "no customer code or data was involved in observed activities" and that only limited access was granted via a single compromised account.

"Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity," the post read.

While Microsoft's blog did not explicitly say source code had been stolen, the post appeared to suggest it.

"This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code," Microsoft said. "Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk."

SearchSecurity contacted Microsoft for clarification on the source code theft. A Microsoft spokesperson said the company had "nothing further to share at this time."

Microsoft similarly referred to not relying on the secrecy of source code when the company was breached by Nobelium, a Russian state-sponsored threat group, during the SolarWinds supply chain attacks in late 2020.

According to the vendor, Microsoft's team was "already investigating" the compromised account when Lapsus$ took credit for the breach. "This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact," the post read.

Lapsus$ is a newer extortion actor believed to be based in South America. Microsoft said the gang "is known for using a pure extortion and destruction model without deploying ransomware payloads" and utilizes several tactics "less frequently used by other threat actors tracked by Microsoft."

"Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets," Microsoft said.

The gang previously took credit for breaches against Samsung, Nvidia and Okta. Like with Microsoft, Lapsus$ publicly took credit for hacking into all three companies shortly before said companies confirmed breaches had occurred.

Microsoft's post provides additional context regarding the "public" nature of Lapsus$.

"Unlike most activity groups that stay under the radar, DEV-0537 doesn't seem to cover its tracks," the post read. "They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations."

Lapsus$ targets organizations globally in sectors including government, healthcare, media, retail, technology and telecom. Microsoft said the group is known to hack individual cryptocurrency exchange accounts in order to drain victims of their holdings.

Alexander Culafi is a writer, journalist and podcaster based in Boston.