Microsoft investigating Lapsus$ claims of Bing, Cortana data theft

Microsoft has said it is investigating claims from the Lapsus$ extortion group that it breached their systems and gained access to data related to Bing and Cortana products.  

“We are aware of the claims and are investigating,” a Microsoft spokesperson told The Record on Tuesday. 

On Sunday, members of Lapsus$ published a trove of documents and screenshots on their Telegram channel, purporting to have stolen information related to Bing and Bing Maps as well as the source code of Cortana. 

The files included screenshots of an Azure DevOps account but the group eventually deleted the photos before reposting them in the Telegram channel a day later.

The same group then caused further concern when it revealed it gained access to major Single Sign-On provider Okta. Okta confirmed that it is investigating the incident. 

The group has caused confusion among experts because at times it uses ransomware in attacks while in other instances it purports to have access to company credentials or insiders. 

Recorded Future ransomware expert Allan Liska said the group is strange because of how they go from seemingly technical attacks to less sophisticated hacks. 

“This appears to be a legitimate breach of Microsoft though. From what I can tell, looking through the published data, the source code and internal communications appear to be real. This could be a serious problem for Microsoft going forward,” Liska said. The Record is an independent unit of Recorded Future.

“What will be interesting to see is where the leak originated from? Is this poor password management by a single employee or reflective of a larger issue at Microsoft?”

The South American group has previously attacked NVIDIA, Samsung, Vodafone, Ubisoft and others. For NVIDIA, it claims to have stolen 1TB of data and leaked 20GB. They also leaked 190GB from Samsung. 

Earlier this year it took credit for attacks on Impresa, the largest media conglomerate in Portugal and the owner of SIC and Expresso, the country’s largest TV channel and weekly newspaper.

It also ransomed Brazil’s Ministry of Health, and Claro and Embratel, two South American telecommunication providers.

Emsisoft threat analyst Brett Callow told The Record that Lapsus$ is very contradictory. 

“Their erratic behavior and seeming lack of any game plan implies they could be a bunch of inexperienced kids, while their victim list implies the exact opposite. The group isn’t unique in choosing not to encrypt its victims’ networks, and I suspect the tactic may become more common,” Callow said. 

“Now that law enforcement agencies are having more success at apprehending and prosecuting threat actors, some cybercriminals may feel that avoiding highly disruptive encryption-based attacks will make them less of a target.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.