A hacking group has hit Microsoft, getting into Azure DevOps source code repositories and leaking source code for Cortana and several other Microsoft projects. It is the latest round of attacks by the group going by the name of “LAPSUS$,” which also successfully targeted Nvidia, Ubisoft, and other large technology giants.
Microsoft hasn’t yet confirmed if a specific Azure DevOps account has been breached by LAPSUS$, but according to BleepingComputer it is aware of the claims and is investigating. This comes after the hacking group first posted a screenshot on Telegram on March 20 showing an Azure DevOps webpage with listings for code for Cortana and Bing projects like “Bing_UX,” “Bing_Test_Agile,” and others.
The newest update from the group, coming on March 22, includes the sharing of a 9GB archive, which has source code for 250 Microsoft projects. Of those, the group claims to have 90% of the source code for Bing, and 45% of the source code for Bing Maps and Cortana. This is only some of the data, with the full archive having 37GB of Microsoft source code.
The Source code for Windows and Office are not included in the leak, according to Bleeping Computer, which believes the leaked files are genuine. The files instead are tied to mobile apps or websites and contain emails and other documents used internally by Microsoft engineers who worked on the projects.
As dangerous as this sounds, the hacking group LAPSUS$, isn’t typical. The group is more interested in holding the source code ransom for tech giants in order to make a profit. That’s because source code repositories could also have API keys and code signing certificates. LAPSUS$, did this with Nvidia when it stole DLSS code and demanded that the GPU maker “completely open-source (and distribute under a foss license) [its] GPU drivers.”
Yet in the case of Microsoft, with the Solarigate investigation, Microsoft has indicated that viewing source code isn’t an elevation of risk issue. At that time, a compromised account had been used to view source code, though it didn’t have permission to modify engineering systems.
The company mentioned that it takes an “inner source approach,” so the secrecy of source code isn’t relied upon for the security of products. “Our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk,” said Microsoft in 2021.