Microsoft has confirmed it was at least partially compromised by hacking group Lapsus$, saying it interrupted the attack in progress.
Lapsus$ is a ransomware group that operates somewhat differently than most. Rather than compromising a system and installing a ransomware payload, the group tries to steal source code and intellectual property, and then threatens to release it if a ransom is not paid. The group claimed to have compromised Microsoft, saying it made off with source code for Bing, Bing Maps, and Cortana.
In a blog post, Microsoft says it interrupted DEV-0537 (Microsoft’s codename for Lapsus$) mid-operation.
This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.
Microsoft has been monitoring Lapsus$ for some time, and have noted the group’s ability to prey on the interconnected nature of modern systems.
Early observed attacks by DEV-0537 targeted cryptocurrency accounts resulting in compromise and theft of wallets and funds. As they expanded their attacks, the actors began targeting telecommunication, higher education, and government organizations in South America. More recent campaigns have expanded to include organizations globally spanning a variety of sectors. Based on observed activity, this group understands the interconnected nature of identities and trust relationships in modern technology ecosystems and targets telecommunications, technology, IT services and support companies–to leverage their access from one organization to access the partner or supplier organizations. They have also been observed targeting government entities, manufacturing, higher education, energy, retailers, and healthcare.