UPDATE--Microsoft said that an account had been compromised, "granting limited access," after the Lapsus$ group claimed that it leaked source code for the Bing search engine, Bing Maps and the Cortana virtual assistant.
The reported 37GB of files were leaked Monday on the private Telegram channel of Lapsus$. Chris Morgan, senior cyber threat intelligence analyst with Digital Shadows, said that the reported breach of Microsoft’s source code “appears serious.” The exfiltrated data reportedly includes public and private keys, certificates, and other large volumes of code, he said.
“The significance of this breached data will likely be determined in the coming weeks and months, with Lapsus$ themselves also unlikely to have had the time to process and understand all of the data they have stolen,” said Morgan. “A breach of source code can be severe for a technology company, potentially allowing threat actors to gain an inside look at important intellectual property, system code and other proprietary data.”
The first inkling of the leak came when the group posted a screenshot on its private Telegram channel on Sunday that showed an Azure DevOps repository with multiple Cortana and Bing projects. Microsoft on Tuesday said that its team was already investigating the compromised account when the actor publicly disclosed the intrusion. No customer code or data was involved in the observed activities, said the company.
“Our investigation found an account had been compromised, granting limited access," a Microsoft spokesperson said. "Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.”
However, the leaked internal source code appears to be legitimate, according to multiple security researchers.
"In theory, the source code could make it easier for vulnerabilities to be found, however, the potential for the misuse of API keys, code signing certificates and other items that may have been obtained probably represents a greater risk,” said Brett Callow, threat analyst with Emsisoft. “For example, the certificates which were leaked after Lapsus$ hacked Nvidia were quickly used by other threat actors to sign malicious code.”
The alleged source code leak comes the same week that Lapsus$ claimed they had targeted identity and access management company Okta. Okta, for its part, said it is investigating the claims, while CEO Todd McKinnon on Twitter acknowledged that an attempt to compromise the account of a third-party customer support engineer had occurred in late January. On Monday, Lapsus$ also claimed it had targeted electronics company LG Electronics for the second time in a year (an LG spokesperson said that the company is currently investigating these claims).
Lapsus$: An 'Unorthodox' Threat Group
Lapsus$ only just emerged last year, with Mandiant researchers first noticing activity by the group on underground forums in July 2021. Since then, the group has widened its targeting with the compromises of the Brazilian Ministry of Health, South American telecommunications organizations and Portuguese media companies.
Joshua Shilko, senior principal analyst at Mandiant, said based on incidents that researchers have observed, Lapsus$ appears to rely on stolen credentials, and has used publicly available tooling and publicly available malware. However, Lapsus$ is “unorthodox” in that the group is “a bit noisy” and doesn’t follow the typical post-intrusion framework, he said.
The group is known for extorting its victims by threatening to leak companies’ sensitive data unless they pay up; however, “it doesn’t always seem to be just about money to them,” said Shilko. For instance, after targeting Nvidia, Lapsus$ asked the company to remove its lite hash rate (LHR) feature, meant to limit Ethereum mining capabilities in certain products; and also asked Nvidia to open-source its GPU drivers for macOS, Windows and Linux devices.
“In spite of those things, ultimately they’ve been successful in getting access to these large, well-resourced companies,” said Shilko.
The group is also unique in that it communicates with the public via a private Telegram channel, as opposed to the more traditional avenue of a data leak website that is preferred by many other cybercrime groups, said Morgan.
“Abusing a legitimate tool like Telegram ensures that Lapsus$’ data leak channel on the service will likely see minimal disruption, and that their victims’ identities can be exposed to anyone with an internet connection," said Morgan. "Lapsus$ also runs polls on their data leak channel, providing members with the ability to decide whose data should be breached next; among cyber extortion groups, few also involve their followers or the public in such a direct manner."
This article was updated on March 22 to reflect a new statement by Microsoft acknowledging that an account was compromised.