Microsoft and Okta investigate data breach claims from hacker group

22 Mar 2022

Image: © Mariakray/

Infosec expert Brian Honan said it’s important to not overreact to the claims, as Lapsus$ could be looking for notoriety to make future victims more willing to give in to ransom demands.

Hacking group Lapsus$ claims to have stolen data from Microsoft and identity and access management company Okta, though there is uncertainty around the validity and extent of these reports.

The ransomware group said it stole the source code of multiple Microsoft projects. It shared photos of what appeared to be a hacked Microsoft server on its Telegram channel over the weekend, before releasing a torrent file yesterday (21 March).

According to BleepingComputer, the hacking group claims these files contain the source code for 250 projects stolen from Microsoft’s internal Azure DevOps server, including the code for Bing and Cortana. Security experts who looked at the files told BleepingComputer that they appear to be legitimate.

Microsoft told multiple media outlets that it is aware of the claims and is currently investigating the matter.

Lapsus$ is the hacking group that took responsibility for the Nvidia cyberattack last month. The group claimed to have files on Nvidia GPU drivers, which could allow hackers to turn every Nvidia GPU into a bitcoin mining machine.

A week after the Nvidia attack, the group claimed that it leaked almost 190GB of data from Samsung. Last week, it sent a smirking face emoji to a news link related to the recent Ubisoft hack, which could be the group taking responsibility for that cyberattack.


Lapsus$ also claimed yesterday that it targeted Okta and shared screenshots suggesting the group gained access to Okta customer accounts.

The hacking group said it did not steal any information from Okta itself as its focus was only “on Okta customers”.

Okta CEO Todd McKinnon said the screenshots appear to be linked to an earlier attempt to compromise a third-party account in January, which was “investigated and contained”.

“We believe the screenshots shared online are connected to this January event,” McKinnon said on Twitter today. “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”

A data-breach from Okta would be significant as its clients include more than 15,000 organisations such as DCC, Engie, ITV, Renault, Siemens, Plan International, Slack and Pret a Manger.

Notoriety goal

The data breach claims from Lapsus$ have caused a stir as many previous claims from the hacking group have been proven to be legitimate. The group has also claimed to have stolen data from electronics giant LG, though the company has not confirmed if this is correct.

BH Consulting CEO Brian Honan told that while it may be possible that Lapsus$ successfully breached the systems of these corporations, people should not “overreact to these claims”.

“The initial notoriety that Lapsus$ gain from these claims, regardless as to how real or not the claims are, could be the goal that Lapsus$ wish to achieve so that any potential future victims will be more willing to pay ransom demand,” Honan said.

He said affected companies first need to confirm if the data breaches have occurred and to share the extent of them if they’re legitimate.

“Even if the breaches are not real, or indeed not as serious as initially made out to be, each affected organisation will waste a lot of time and resources in investigating and responding to the incidents to determine their impact,” Honan added.

“These issues are a prime example of why having good crisis communication plans and processes in place so organisations can respond quickly and authoritatively to any claims that are being made.”

How to prevent a data breach

While it is unclear if Lapsus$ is behind all of the breaches it is claiming responsibility for, companies such as Nvidia and Samsung have confirmed that data breaches took place recently.

Jamie Moles, senior technical manager at cybersecurity company ExtraHop, said breaches are concerning as these large companies have the necessary resources to build “strong cybersecurity procedures”.

Moles said better network visibility is essential to detect malicious activity, as threat actors can disable agents and erase logs “but they cannot turn off the network because they too rely on it to control your systems”.

“The correct place to detect their malicious activities is at the network level where you can see what they are doing without them ever knowing you are watching them,” Moles said. “The sophistication of gangs like Lapsus$ means companies need the right security processes in place for when an intrusion happens so they can catch attackers in their midgame, before the intrusion develops into a successful breach.

“Ensuring good protocol, network segmentation, and behavioural monitoring of the environment is crucial for organisations to help protect themselves,” Moles added.

VP of strategic communications at Deep Instinct, Justin Vaughan-Brown, said the ‘assume breach’ mindset is no longer a safe way to deal with cyberattacks, as endpoint detection and response systems need malware to execute before they can be picked up as malicious. This means a threat actor could be in the system for a long time before they are detected.

“With some of the fastest ransomware now encrypting within 15 seconds of being executed, organisations need to look towards prevention-first solutions,” Vaughan-Brown added. “Technologies, such as deep learning are able to stop malware before data can be stolen.”

Growing cybersecurity concerns

The last two years have highlighted more than ever how much the cyber threat landscape has grown and evolved.

Some of the major cyberattacks that have shaken the world recently include the HSE ransomware attack in Ireland last year, the attack on the world’s largest meat producer, the cyberattack on a major US gas pipeline and, most recently, the wave of cyberattacks hitting Ukraine.

SonicWall’s latest cyberthreat report highlights the variety of threats that increased to unprecedented levels in 2021, with ransomware attacks up 105pc and encrypted threats increasing 167pc.

A research team at Lero – the Science Foundation Ireland research centre for software – recently suggested that mandatory cybercrime reporting would improve the amount of data available to researchers, which would help combat the growing $1trn global cybercrime industry.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic