Microsoft Investigating Claim of Breach by Extortion Gang

Microsoft is investigating claims that an extortion-focused hacking group that previously compromised massive companies such as Ubisoft and Nvidia has gained access to internal Microsoft systems, according to a statement from the company.

The hacking group, which goes by the self-designated name LAPSUS$, has successfully breached a wave of corporations recently. LAPSUS$ sometimes makes unusual ransom demands of its victims, including asking Nvidia to unlock aspects of its graphics cards to make them more suitable for mining cryptocurrency. The group has so far not made any public demands against Microsoft.

On Sunday, LAPSUS$ posted a screenshot of what appeared to be an internal Microsoft developer account to their Telegram channel. The screenshot appeared to be from an Azure DevOps account, a product that Microsoft offers that allows developers to collaborate on projects. Specific projects shown in the screenshot include “Bing_UX,” potentially referring to the user experience of Microsoft’s Bing search engine; “Bing-Source,” indicating access to the source code of the search engine; and “Cortana,” Microsoft’s smart assistant. Other sections include “mscomdev,” “microsoft,” and “msblox,” indicating whoever took the screenshot may have access to other code repositories as well.

Shortly after posting the screenshot, an administrator of LAPSUS$’s Telegram channel deleted the image.

“Deleted for now will repost later,” they wrote.

On Sunday, a Microsoft spokesperson told Motherboard in an email that “We are aware of the claims and are investigating.”

Earlier this month the group said on its Telegram channel that it was seeking employees inside companies who would be willing to work with them, including Microsoft.

“We recruit employees/insider at the following!!!!,” the group wrote on March 10, followed by a list of sectors such as telecommunications firms, large software or gaming companies, or data hosts. In the message, the group explicitly pointed to Apple, IBM, and Microsoft as companies they would be interested in. “TO NOTE: WE ARE NOT LOOKING FOR DATA, WE ARE LOOKING FOR THE EMPLOYEE TO PROVIDE US A VPN OR CITRIX TO THE NETWORK, or some anydesk,” the message added, describing particular ways that the hackers may be able to access target companies’ networks with the rogue employee’s help.

Since December, the group has breached the Ministry of Health of Brazil, a slew of Brazilian and Portuguese companies, and then Nvidia and Samsung in February and March respectively, according to a timeline of LAPSUS$ attacks published by cybersecurity firm Silent Push. The group also seemingly took credit for breaching Ubisoft this month.

During some of its attacks, the group made a demand of payment in exchange for not leaking internal data it had stolen from the victims. In the NVIDIA case, the hackers demanded that the company open source its GPU drivers and remove a limitation on its 30-series cards around mining Ethereum, The Verge reported at the time. On its Telegram group, LAPSUS$ also claimed that NVIDIA, or someone working on its behalf, hacked back the attacks and tried to in turn encrypt the stolen material. The group ended up leaking some NVIDIA data as well as data stolen from Samsung.

LAPSUS$ may have also been responsible for hacking gaming giant Electronic Arts, although the hackers didn’t use the LUPSUS$ name until after Motherboard revealed that breach last June. In a later post on an underground forum, a user wrote “the real credits are for LAPSUS$, we will leak a lot more stuff.”

In an email to Motherboard, Stefano De Blasi, cyber threat research analyst at cybersecurity firm Digital Shadows, pointed to two things that make LAPSUS$ different from your common extortion gang. First, the group has never actually deployed ransomware, instead exfiltrating data and using that to blackmail the target. This allows the group to move more stealthily, De Blasi said. De Blasi also pointed to LAPSUS$'s interactive presence on Telegram, and specifically that the group messages with its followers. 

Motherboard previously reported that hackers were able to gain access to the contents of MSN, Hotmail, and Outlook users’ email inboxes after abusing access to a customer support portal.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.