Skip links

Microsoft investigates after Lapsus$ gang brags of Bing, Cortana code heist

The Lapsus$ extortion gang briefly alleged over the weekend it had compromised Microsoft.

The devil-may-care cyber-crime ring has previously boasted of breaking into Nvidia, Samsung, Ubisoft, and others. Its modus operandi is to infiltrate a big target’s network, exfiltrate sensitive internal data, and then make demands to prevent the public release of this material – and perhaps just release some of it anyway.

“We are aware of the claims and are investigating,” a Microsoft spokesperson told The Register on Monday.

On Saturday and Sunday, the crooks shared then deleted on Telegram screenshots suggesting they had broken into Microsoft’s internal DevOps environment, as spotted by infosec bod Dominic Alvieri. The screenshot shows internal projects including Bing and Cortana’s source code, and ​​WebXT compliance engineering projects.

“Normally you wouldn’t give credibility to a snapshot,” tweeted Alvieri, “but Lapsus has breached Samsung, Impresa, Mercado Libre, Ubisoft, and Nvidia.” The researcher said Microsoft and Vodafone have allegedly been hit, adding that the brag about the Windows giant seems “credible so far and reputation is at stake.”

If the screenshots are legit, this would be a major security breach for the American IT titan. There’s the potential for miscreants to find and exploit security holes in the code, should they get their hands on it. Perhaps Microsoft should have fought a little harder for Mandiant before Google scooped it up for $5.4bn.

The suspected Microsoft intrusion follows a series of high-profile sorties by Lapsus$, which, until recently, was best known for meddling with Brazil’s Ministry of Health and Portuguese media outlets SIC Noticias and Expresso.

That all changed in February when the gang, believed to be based in Brazil, sneaked into Nvidia‘s networks and stole one terabyte of data including employee credentials and proprietary information, and dumped some of it online.

Days later Lapsus$ raided Samsung and stole 190GB of internal files including some Galaxy device source code. 

The criminal group followed that up by claiming it was responsible for a cybersecurity incident” at gaming giant Ubisoft, and it’s reportedly behind a Vodafone security breach as well. Earlier this month, the telco said it was probing Lapsus$’s claims that it stole 200GB worth of source code.

“We are investigating the claim together with law enforcement, and at this point we cannot comment on the credibility of the claim,” a Voda spokesperson told CNBC. “However, what we can say is that generally the types of repositories referenced in the claim contain proprietary source code and do not contain customer data.”  ®