Microsoft confirms Lapsus$ hackers stole source code via ‘limited’ access

Image by Alex Castro / The Verge

This week, the hacking group Lapsus$ claimed to have hacked Microsoft. The group posted a file that it claimed was a partial source code for Bing and Cortana.

Microsoft confirmed the group that it calls DEV-0537 compromised a single account and stole parts of source code for some of its products. Microsoft investigators have been tracking the Lapsus$ group for weeks, and have used some of the methods they have used to compromise victims. According to the Microsoft Threat Intelligence Center, the goal of DEV-0537 actors is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. This is a cybercriminal who is motivated by theft and destruction.

The leaked code is not severe enough to cause an elevation of risk according to Microsoft.

If its claims are to be believed, Lapsus$ has been on a tear recently. The group says it has access to data from Okta and other companies. Okta pushed back against the group's claims that it has access to its service, claiming that the Okta service has not been breached and remains fully operational.

Microsoft:

This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.

Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.

This isn't the first time that Microsoft has claimed that attackers will be able to access its source code. Lapsus$ claims that it only got 45 percent of the code for Bing, and 90 percent of the code for Bing Maps. Even if Microsoft was worried about its source code revealing vulnerabilities, the latter feels like a less valuable target.

Microsoft outlines a number of steps other organizations can take to improve their security, including requiring multifactor authentication, not using weak passwords, and educating team members about the potential for social. Microsoft will keep an eye on any attacks it carries out on Microsoft customers.