It seems that Microsoft has become the latest victim of the notorious cyber extortion group known as Lapsus$ following a data breach. Microsoft has yet to confirm any details as the company is currently investigating this matter.
The possibility of a data breach was suggested over the weekend when a screenshot of an internal developer account was leaked on the Telegram channel belonging to Lapsus$. The screenshot in question is of an internal Azure DevOps account, which is used by Microsoft software developers to collaborate on projects. Some notable projects that can be identified are “Bing_UX,” “Bing-Source,” and “Cortana.” For those unfamiliar, Bing is Microsoft’s search engine while Cortana is the company’s virtual smart assistant like Siri.
Other projects were more obscure like “mscomdev,” “microsoft,” and “msblox.” But the key takeaway here is that whoever took the screenshot has access to multiple projects.
However, the screenshot has since been removed from the Telegram channel, presumably by the channel moderator. After that, a message that reads “Deleted for now will repost later” was shared to channel followers. Since the data breach, Lapsus$ has yet to make any public demands against Microsoft.
Motherboard, a tech media publication reached out to Microsoft via email for comment on Sunday. A spokesperson replied saying “We are aware of the claims and are investigating.”
Coincidentally, the data breach comes after Lapsus$ posted “job vacancies” on the 10th of March on their Telegram channel. The job advertisement read “We recruit employees/insider at the following!!!!” and included a list of telecommunication firms, large software or gaming companies, and data hosts. But it seems that the extortion gang specifically highlighted Apple, IBM and Microsoft as interested companies.
The job posting ended with an elaboration that they weren’t looking for data, but instead for rogue employees to help them gain access into the company’s servers via VPN or Citrix.
Stefano De Blasi, a cyber threat research analyst at cybersecurity firm Digital Shadows, told Motherboard that Lapsus$ operates unlike any other cyber extortion gang. Commonly, a cyber extortion gang will deploy ransomware that will encrypt the data of the company, blocking access to it. If the company meets the demands of the gang, the access will be restored.
Lapsus$ differs from this by actually stealing confidential data and threatening to release it if their demands are not met.
This observation was made based on the gang’s previous targets. In February 2022, Lapsus$ hacked its way into Nvidia’s internal servers and stole confidential information. The Verge reported the gang demanded that Nividia make its GPU drivers open-source and remove a restriction on its 30-series graphics cards that affected Ethereum mining.
In the following month, the extortion gang targeted Samsung by stealing multiple source codes related to trusted applets installed in Samsung’s TrustZone environment, algorithms for biometric unlock operations and bootloader source. In addition, it was also believed that the gang got their hands on sensitive data from Qualcomm as well. However, it’s still unknown if any demands were made in exchange for the stolen data.