Microsoft Says Lapsus$ Hackers Had “Limited Access” to Source Code

Microsoft has confirmed yesterday that the Lapsus$ hacker group, which previously claimed to have stolen 37 GB of Microsoft source code, did actually manage to breach into the company’s security system and steal some data. Other companies including Ubisoft, Samsung, Nvidia, and Okta have also been targeted by the same hacker group, which has been in Microsoft’s crosshair for quite some time.

“The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$,” Microsoft explained yesterday. “DEV-0537 started targeting organizations in the United Kingdom and South America but expanded to global targets, including organizations in government, technology, telecom, media, retail, and healthcare sectors.”

According to Microsoft, Lapsus$ hackers only got “limited access” to the company’s data by hacking into a single account, and the Redmond giant says that it took actions to interrupt the hack as soon as it became aware of it. Microsoft said that the hackers did not get their hands on customer code or data, though the company is still recommending its customers to follow some steps to improve security.

If the Lapsus$ hackers claimed to have stolen code from Cortana and Bing, Microsoft didn’t go into details about what the hackers did actually have access to. You can find Microsoft’s full explanation of what happened below:

This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.

Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.

As Microsoft is still investigating the most recent attacks from this hacker group, the company invites its customers to implement Multifactor authentication in a secure way, which means not using weak MFA factors such as text messages or secondary email addresses. The company also recommends improving awareness of social engineering attacks and to educate employees about help desk verification practices.