Microsoft and Okta compromised by LAPSUS$ hacks

Brock Bingham candid headshot
Brock Bingham|March 22, 2022
microsoft and okta hack
microsoft and okta hack

LAPSUS$, the notorious hacking group which has been targeting some of the world's largest organizations, such as LG, Nvidia, Samsung, and Ubisoft, has struck again. This time their targets are two of the biggest names in the tech industry, Microsoft and Okta, leaving security teams worldwide scrambling to make sure their organizations are safe.

37GB of Microsoft source code leaked

On Sunday, March 20, LAPSUS$ posted a screenshot on Telegram of what appeared to be proof they had gained access to a Microsoft Azure DevOps server containing source code for several high-profile Microsoft projects, including both Bing and Cortana.

Wasting no time, LAPSUS$ posted a 9GB archive file containing the source code of hundreds of Microsoft projects late Monday evening. The fully uncompressed file apparently contains 37GB of source code, which LAPSUS$ claims includes 90% of Bing Maps source code and around 45% of Bing and Cortana source code.

In an attempt to verify the claims, security researchers have been busy scouring the released data and believe the leak appears to contain legitimate source code from Microsoft.

So far, the only communication available from Microsoft is that they are aware of the claims and are actively investigating the situation.

LAPSUS$ gains access to Okta.com as a "SuperUser/Admin"

LAPSUS$, not content with just stealing and posting gigabytes of data from Microsoft, posted images on Tuesday, March 22, indicating they had gained privileged access to an Okta administrative console.

Okta is the world's most well-known identity and access management (IAM) service provider. Okta's platform provides authentication services for more than 10,000 customers and over 100 million users. Needless to say, this data breach could have devastating consequences for thousands of organizations around the world.

LAPSUS$ claims it did not steal or access any Okta databases and that its main focus was only on Okta's customers. 

Here is Okta's most recent response to the incident:

"The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers. 

In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.

Following the completion of the service provider’s investigation, we received a report from the forensics firm this week. The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday.

The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data - for example, Jira tickets and lists of users - that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords.

We are actively continuing our investigation, including identifying and contacting those customers that may have been impacted. There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.

We take our responsibility to protect and secure our customers' information very seriously. We are deeply committed to transparency and will communicate additional updates when available."

It's unclear exactly what LAPSUS$ had access to, or which customers may be impacted, but if your organization utilizes Okta, continue monitoring this breach as more information becomes available.

LAPSUS$ is keeping security teams on their toes

While we do not know who LAPSUS$'s next target will be, or the full implications of this leak, it is important to ensure your organization is protected by incorporating strong cybersecurity practices. Make sure your users are adequately trained, utilize robust cybersecurity platforms, and keep your devices up to date and vulnerability-free.

As with all cybersecurity incidents, PDQ takes these matters very seriously. As more information becomes available, we will update this post to ensure users are kept apprised.


Brock Bingham candid headshot
Brock Bingham

Born in the '80s and raised by his NES, Brock quickly fell in love with everything tech. With over 15 years of IT experience, Brock now enjoys the life of luxury as a renowned tech blogger and receiver of many Dundie Awards. In his free time, Brock enjoys adventuring with his wife, kids, and dogs, while dreaming of retirement.

Related Articles