Microsoft confirms Lapsus$ hackers made off with code thanks to ‘limited access

Following reports that the hacking group Lapsus$ successfully swindled Microsoft for 37GB of source code, Microsoft has confirmed that yes, they have been hacked.

In a new security blog post, Microsoft detailed that while they had been hacked by the Lapsus$ group, who seem to be going after everybody these days, the breach in security “does not lead to elevation of risk,” as the company “does not rely on the secrecy of code as a security measure.”

In their report, Microsoft detailed how the Lapsus$ hacking group gained “limited access” via compromising a single account. Prior to Lapsus making their presence known and bragging about their attack on Telegram, the tech giant states that they were hot on the hacker’s heels as they were “already investigating the compromised account based on threat intelligence.”

Microsoft also states in their security report that “no customer code or data was involved in the observed activities,” so there shouldn’t be any cause for concern as an end-user. 

Microsoft Security has been tracking criminal actor DEV-0537 (LAPSUS$) targeting organizations with data exfiltration and destructive attacks – including Microsoft. Analysis and guidance in our latest blog: https://t.co/gTMXJCoPY5

— Microsoft Security (@msftsecurity) March 22, 2022

Throughout their report, Microsoft also details the tactics the Lapsus$ group uses to gain access to their target’s systems. It’s claimed that the group primarily uses social engineering-based attacks to exploit the human element within security systems. 

“Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets.”

While Microsoft has yet to be publicly met with demands from the Lapsus$ group, the company’s Threat Intelligence Center states that Lapsus$’s goal when attacking companies is to “gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.”