Microsoft was indeed hacked by the South American hacker crew Lapsus$, the software giant admitted in a blog post (opens in new tab) and lengthy analysis yesterday (March 22).
"Our investigation has found a single account had been compromised, granting limited access," Microsoft said. "No customer code or data was involved in the observed activities."
As for whether this intrusion, which resulted in the theft of an alleged 37 GB of source code pertaining to Bing, Bing Maps and Cortana, would compromise the security of Microsoft software or customers, the company firmly denied it. (On March 24, a new report said that Lapsus$ was led by a 16-year-old from England and a Brazilian teenager.)
Any risk to you? Nope, says Microsoft
"Microsoft does not rely on the secrecy of code as a security measure," the blog post said, "and viewing source code does not lead to elevation of risk."
Of course, that's what you would expect a hacked company to say. And there's certainly some skepticism online about Microsoft's insistence that this was no big deal.
“We were not hacked.”“There was a hacking attempt.”“We were hacked, but it doesn't matter.”“2.5% of you were hacked.”“Getting hacked is actually good.”“I’m glad we were hacked.”March 23, 2022
We're inclined to give Microsoft the benefit of the doubt here, but you can bet that security experts will be going over the stolen code that Lapsus$ posted online to see if there's any way that it can be exploited. (The source code for Windows, Office and other desktop software does not appear to have been part of the stolen data.)
Until we learn more, we would urge you to keep all your Microsoft software updated and maintain other security "best practices" such as using one of the best password managers and one of the best antivirus programs.
How did the hackers get in?
Microsoft didn't say exactly how Lapsus$, which Microsoft calls "DEV-0537," got into its systems. But it did provide a long and interesting analysis of Lapsus$'s methods and goals, which are unusual.
Unlike other criminal groups, Microsoft noted, Lapsus$ likes to make a lot of noise and acts as if media attention matters more than money.
"DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads," the company said. The goal "is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization."
The crew has its own public Telegram channel where it announces hacks and refutes claims by hacked organizations, e.g. a point-by-point rebuttal yesterday of identity-management firm Okta's analysis of its own Lapsus$ hack.
Last month, Lapsus$ attacked graphics-card maker Nvidia and demanded that the company provide driver software to permit easier mining of cryptocurrency.
Confidence tricks and payoffs
We have to confess a grudging admiration for Lapsus$, which seems to able to pull off very high-profile data breaches — Samsung has also been hacked — without using sophisticated malware or spy-movie techniques. Instead, Lapsus$ relies on old-fashioned bribery and trickery and an understanding of human nature.
"Their tactics include phone-based social engineering," such as convincing help-desk personnel to reset passwords, Microsoft wrote.
Other Lapsus$ methods include "SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets."
Once Lapsus$ gets into a targeted organization, Microsoft added, it "creates global admin accounts in the organization's cloud instances, sets an Office 365 tenant level mail transport rule to send all mail in and out of the organization to the newly created account, and then removes all other global admin accounts, so only the actor has sole control of the cloud resources, effectively locking the organization out of all access."
That's already pretty epic. But Lapsus$ then takes it to the next level, infiltrating the hacked organization's own internal discussions about how to respond to Lapsus$'s intrusion.
It will join "the organization's crisis communication calls and internal discussion boards (Slack, Teams, conference calls, and others) to understand the incident response workflow and their corresponding response," Microsoft said.
"This group understands the interconnected nature of identities and trust relationships in modern technology ecosystems and targets telecommunications, technology, IT services and support companies — to leverage their access from one organization to access the partner or supplier organizations."