Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More

The threat actor known as Lapsus$ operates with a “pure extortion and destruction model” and unlike other hacker groups, “doesn’t seem to cover its tracks,” according to Microsoft security researchers.

Lapsus$ claims to have breached and leaked data on a number of major tech vendors over the past month. In recent days, the group claims to have used its Telegram account to leak Microsoft source code and post screenshots taken after breaching a third-party provider of identity and access management vendor Okta.

In a blog post today, Microsoft researchers acknowledged that the threat group gained “limited access” to its systems. An Okta executive also acknowledged today that an attacker did access the account of a customer support engineer, who worked for a third-party provider, for five days in January.

In recent weeks, vendors including Nvidia and Samsung Electronics had confirmed the theft of data by the threat actor.


Transform 2023

Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.


Register Now

The Microsoft blog post says that the company’s researchers had already been tracking Lapsus$, which it refers to as DEV-0537, prior to the purported leak of source code this week.

Key points from the blog:

  • Lapsus$ is responsible for a “large-scale social engineering and extortion campaign” in recent weeks, and engages in a “unique blend of tradecraft.”
  • The group “is known for using a pure extortion and destruction model without deploying ransomware payloads.”
  • Lapsus$ began by targeting organizations in the U.K. and South America (the group is believed to operate out of South America). But it has “expanded to global targets, including organizations in government, technology, telecom, media, retail, and healthcare sectors.”
  • Lapsus$ “is also known to take over individual user accounts at cryptocurrency exchanges to drain cryptocurrency holdings.”

Doesn’t cover its tracks

Notably, “unlike most activity groups that stay under the radar,” Lapsus$ “doesn’t seem to cover its tracks,” the Microsoft researchers said.

“They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations,” the researchers said in the post.

The social engineering and “identity-centric tactics” used by the group “require detection and response processes that are similar to insider risk programs,” Microsoft said in the post, “but also involve short response timeframes needed to deal with malicious external threats.”

From the post:

The actors behind DEV-0537 focused their social engineering efforts to gather knowledge about their target’s business operations. Such information includes intimate knowledge about end-users, team structures, help desks, crisis response workflows, and supply chain relationships. Examples of these social engineering tactics include spamming a target user with multifactor authentication (MFA) prompts and calling the organization’s helpdesk to reset a target’s credentials.

Microsoft Threat Intelligence Center (MSTIC) assesses that the objective of [Lapsus$] is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.

The group has been known to use a number of different techniques for gaining initial access, which have included “paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval,” according to Microsoft researchers.

In terms of goals, in several cases, Lapsus$ “has extorted victims to prevent the release of stolen data, and in others, no extortion attempt was made and DEV-0537 publicly leaked the data they stole,” the Microsoft researchers said.

Microsoft source code

Microsoft researchers noted in the post that Lapsus$ had “made public claims that they had gained access to Microsoft and exfiltrated portions of source code.” On Telegram, Lapsus$ had claimed to have posted source code for Bing, Bing Maps and Cortana.

“No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access,” the researchers said.

Microsoft’s cyber response teams quickly remediated the compromised account, halting further activity, according to the blog.

“Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion,” the researchers said. “This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”

Microsoft added that it “does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.