Microsoft confirms breach by Lapsus$ hacker group

Microsoft has confirmed that the hacker group Lapsus$ breached its security system, after the digital extortion gang claimed credit earlier this week.

“Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion,” Microsoft disclosed in a blog post late Tuesday night. “This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”

Microsoft said in the post that Lapsus$, also known as DEV-0537, had breached one account, resulting in “limited access” but not to the data of any of the tech giant’s customers.

Lapsus$, a South American hacking group that has been linked to data breaches at Samsung and Ubisoft, on Monday posted a file online containing partial source code from Microsoft’s Bing, Bing Maps and Cortana.

“Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk,” the company wrote.

According to Microsoft, Lapsus$ targets cryptocurrency accounts to steal wallets and funds. “As they expanded their attacks, the actors began targeting telecommunication, higher education, and government organizations in South America,” the company wrote.

Lapsus$ also claimed credit for compromising digital identity management firm Okta, which also confirmed the breach after the hacker gang released screenshots of its internal network.

“In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor,” Okta CEO Todd McKinnon said in a statement that also was released Tuesday evening. “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”

Microsoft revealed in its blog post that it had observed Lapsus$ seeking to recruit employees to help their hacking efforts – giving more insight into how the group operates.

“[Lapsus$] advertised that they wanted to buy credentials for their targets to entice employees or contractors to take part in its operation,” Microsoft wrote in its blog post. “For a fee, the willing accomplice must provide their credentials and approve the MFA prompt or have the user install AnyDesk or other remote management software on a corporate workstation allowing the actor to take control of an authenticated system.”

Microsoft included a screenshot of a Lapsus$ ad specifically seeking access via employees and insiders at telecom companies, software/gaming corporations and call centers.