A cybercrime group that’s been targeting a string of high-profile victims with data theft, extortion and website defacements over the last few months claimed this weekend it has breached Microsoft.
The corporation said in a statement Monday that officials are “aware of the claims and are investigating.” Lapsus$, the group making the claims, posted a screenshot to its Telegram channel March 20 of what appeared to be an internal Microsoft developer account, Vice reported Monday. Later in the weekend the image was removed from the channel and replaced with the message: “Deleted for now will repost later.”
Lapsus$ emerged in December as a seemingly new hacking group bringing a “chaotic energy to the field,” Wired noted March 15. Rather than attacking targets with ransomware — where data is stolen and a target’s data is then encrypted in a ransom demand — Lapsus$ focuses more on data theft and extortion.
The group claimed in early December that its “only goal is money,” and “our reasons are not political,” Wired noted. So far Lapsus$ has not been definitively tracked to a specific country, but the Wired report said researchers suspect the group might be based somewhere in South America, perhaps Brazil.
In late December, Lapsus$ targeted Portuguese media companies with defacements, and in late February the group stole credentials for what it said were tens of thousands of company employees and proprietary data from chipmaker Nvidia. The group subsequently posted at least some of the data online, and demanded Nvidia alter its chips to allow more efficient cryptocurrency mining and open-source its GPU drivers for Windows, macOS and Linux “from now on and forever.”
Other suspected Lapsus$ targets have included Nvidia and Samsung.
Shortly after, the group claimed to have stolen roughly 200GB of data from Korean tech company Samsung associated with its Galaxy smartphones. A statement from Samsung confirmed the breach without identifying the attackers. On March 4 the group posted a screenshot purported to be internal Samsung data to its Telegram channel, and claimed to have source code related to various devices, “algorithms for all biometric unlock operations” and other data.
Two days later the group posted a poll asking “What should we leak next?” and referenced data related to British telecommunications firm Vodafone, Portuguese media company Impresa, or Argentine e-commerce company MercadoLibre. Vodafone was the “winner,” but it’s not clear whether the group followed through on the threat to post the data.
On March 10 the group posted a message to the more than 32,000 followers on its Telegram channel that it was looking to “recruit” employees or insiders at “any” company providing telecommunications services, large software companies — including Microsoft, Apple, EA, IBM, “and other similar” — call centers and server hosts.
“TO NOTE: WE ARE NOT LOOKING FOR DATA,” the message read. “WE ARE LOOKING FOR THE EMPLOYEE TO PROVIDE US A VPN OR CITRIX TO THE NETWORK, or some anydesk.”
