The Lapsus$ data theft and extortion gang is claiming two important IT companies are its latest victims.
The gang has begun posting files or screen shots it says have been taken from Microsoft and Okta, an identity and access management provider, on its Telegram data leak site.
News reports say Lapsus$ is alleging it stole 37GB of data, including much or parts the source code for Bing, Cortana, and other projects, from Microsoft’s internal Azure DevOps server.
Security researchers who have seen the posted files told the BleepingComputer news site that they appear to be legitimate internal source code from Microsoft. None of the code relates to Windows, Windows Server, or Microsoft Office.
Microsoft has told BleepingComputer that it is investigating the claims.
Meanwhile, Okta has told the ZDNet news service that screenshots posted by Lapsus$ on its data leak site appear to relate to a January incident. At that time, Okta detected what it said was an unsuccessful attempt to compromise the account of a third-party customer support engineer. The provider was notified and the engineer’s Otka account was suspended.
“The matter was investigated and contained,” ZDNet was told by Otka. “We believe the screenshots shared online are connected to this January event.”
Otherwise, Okta said, there is no evidence of recent malicious activity.
UPDATE: At noon Pacific time today Okta issued a statement saying its service has not been breached and remains fully operational. “There are no corrective actions that need to be taken by our customers,” the statement said.
A forensics report said there was a five-day window of time starting January 16th where an attacker had access to a support engineer’s laptop, it added. “The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and multi factor authentication for users, but are unable to obtain those passwords.”
Six and a half hours later — after a Forbes article quoted Okta customers as being furious they weren’t told of the data breach — Okta issued the following statement:
“We have concluded that a small percentage of customers – approximately 2.5 per cent – have potentially been impacted and whose data may have been viewed or acted upon. We have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, we have already reached out directly by email. We are sharing this interim update, consistent with our values of customer success, integrity, and transparency.”
Lapsus$ says it also recently hacked Samsung, Nvidia and Ubisoft.
In an interview this morning Brett Callow, a Canadian-based threat researcher for Emsisoft, said “who they (Lapsus$) are we really don’t know. Some of their posts are in Portuguese and one of our team who is Brazilian believes it is Brazilian Portuguese. Which would indicate at least the person who writes on behalf of the group is based in that part of the world.”
“They are an extremely contradictory group. Their tactics appear to be made up as they go along. They are all over the place, which would imply they are inexperienced. In fact some of the ways they deal with victims are teenager-like. Yet the victims they are quickly racking up imply the opposite of inexperienced.”
It is possible the gang gets access to victims’ IT networks by paying off employees, he said, noting Lapsus$ has posted a note saying it is looking to “recruit” employees willing to provide VPN or Citrix access to their firms.
The best advice for IT defenders, Callow said, is to follow basic cybersecurity hygiene, including installing application patches quickly and implementing multifactor authentication as an extra login step.
Some security researchers describe Lapsus$ as a ransomware gang, and indeed it demands a ransom or copied data will be publicly released. That can be painful if the data is source code that other hacking groups can leverage for their attacks. However, unlike traditional ransomware gangs, Lapsus$ doesn’t encrypt the data it leaves behind, which is why some call it an extortion gang.
Lapsus$’ threat tactics can be imaginative. For example, it reportedly demanded Nvidia remove the lite hash rate (LHR) feature from the company’s graphic cards or source code would be published. The LHR limits the ability of the cards to be used for Ethereum mining.
According to The Record, one of the earliest victims of Lapsus$ was Impresa, the largest media conglomerate in Portugal, which was hit in late December.
Wired Magazine quoted a Mandiant executive saying Lapsus$ “operates on street cred and clout … They’re bragging to their friends, and if they get money, they’ll take it, but money doesn’t seem to be the sole or even primary driver. So a victim company that wants to negotiate with them and may think about paying them likely won’t get the outcome they’re hoping for.”
(This story has been updated from the original to include comments from Brett Callow. It was later updated to include the latest statements from Okta)