Microsoft responds to Lapsus$ hack, says customer code or data was not involved

Kevin Okemwa


At the beginning of the week, there were some indications suggesting that some hackers had managed to compromise some of Microsoft’s DevOps accounts. The hacker group Lapsus$ took responsibility for this attack and even released a screenshot on Telegram to support their claim and affirm that they were indeed the ones behind the hit.

The same hackers are also allegedly behind Ubisoft’s and Samsung’s attacks. A couple of days ago, the hackers leaked a torrent containing the source code of over 250 projects, which they claimed to be Microsoft’s.

And now, Microsoft through a blog post addressed the issue and confirmed that the hacker group known as DEV-0537 was able to compromise their systems. Only a single account was breached by the hackers, which granted them limited access, however, the attack was quickly mitigated by the cybersecurity team to prevent further damage.

Microsoft maintains that no customer code or data was accessed by the hackers based on the investigations that they had carried out. Lapsus$ leveraged their social engineering skills to get the information they required from business operations they had targeted. Such practices include spamming a target user with multifactor authentication (MFA) prompts and even calling the organization’s help desk to reset a target’s credentials.

Microsoft Threat Intelligence Center (MSTIC) assesses that the objective of DEV-0537 is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.

Through investigation, Microsoft notes that the hacker group was initially after gaining control of personal accounts. Once they got access they would use these accounts to gather as much information as they could which would in return allow them to tap into corporate systems. Lapsus$ also lured some employees from some organizations by putting out advertisements where they were looking to recruit individuals who were willing to give out these credentials, and in return, they would get paid.

Based on our observation, DEV-0537 has dedicated infrastructure they operate in known virtual private server (VPS) providers and leverage NordVPN for its egress points. DEV-0537 is aware of detections such as impossible travel and thus picked VPN egress points that were geographically like their targets. DEV-0537 then downloaded sensitive data from the targeted organization for future extortion or public release to the system joined to the organization’s VPN and/or Azure AD-joined system.

As such, Microsoft is putting in place elaborate measures that will help cushion users from such attacks and provides a summary of safe practices that will help enhance their security. Some of the key practices include strengthened MFA implementation, leveraging modern authentication options for VPNs, and improving awareness of social engineering attacks among others.