This article has been amended to reflect an updated statement on the incident from Okta.
After screenshots claiming to stem from security breaches at IT giant Microsoft and identity and authentication provider Okta, both companies are investigating possible attacks from the Lapsus$ hacking group.
In statements to various media outlets, the companies say they are investigating after screenshots purporting to be from the companies’ internal environments were posted to the Lapsus$ group’s Telegram channel this week.
Here is what we know so far.
Lapsus$ claims to have accessed, leaked Microsoft source code
According to Bleeping Computer, the Lapsus$ hacking group claims to have penetrated Microsoft’s environment and stolen source code for Bing, Cortana and other projects from Microsoft’s internal Azure DevOps server. After a screenshot was posted to the group’s Telegram channel, Lapsus$ posted a torrent for a 9 GB 7zip archive wit source code from over 250 projects allegedly belonging to Microsoft, including Bing, Bing Maps and Cortana.
The files appear to be legitimate, and some contain emails and documentation that were being used by Microsoft engineers to publish mobile apps, according to Bleeping Computer. Microsoft is investigating the claims.
Microsoft has yet to release any public statements, but has told several news outlets that it is aware of the reports and is investigating.
Okta: Lapsus$ activity may be from January security incident that was contained
In addition to Microsoft, Lapsus$ has posted screenshots of what appears to be the internal websites of Okta, an identity solutions leader, which caused many in the cybersecurity community to express alarm on social media overnight.
If Okta is compromised, the company’s software could be used in a supply chain attack against the company’s “hundreds of millions” of users and “thousands” of customers, including some very large companies, such as Major League Baseball, T Mobile, Moody’s, Hewlett Packard Enterprise, Sonos, FedEx, Ally Financial and other high-profile organizations.
Posting to Twitter, Okta CEO Todd McKinnon said the screenshots shared on Lapsus$’s Telegram channel are believed to be connected to an attempted compromise of a third-party customer support engineer from January. An Okta spokesperson sent the same statement to us when we asked for more information.
“The matter was investigated and contained by the subprocessor,” McKinnon wrote. “We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”
Update (3/22, 2:07 p.m.)
Okta released an updated statement later Tuesday, claiming the Okta service was not breached and that customers don’t need to take any action. The full statement is below in full:
The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers.
In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.
Following the completion of the service provider’s investigation, we received a report from the forensics firm this week. The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday.
The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.
We are actively continuing our investigation, including identifying and contacting those customers that may have been impacted. There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.
We take our responsibility to protect and secure our customers’ information very seriously. We are deeply committed to transparency and will communicate additional updates when available.
Lapsus$ has claimed big targets, so organizations should be very vigilant
According to Bleeping Computer and Reuters, Lapsus$ allegations of penetrating internal systems at Okta and Microsoft appear to be credible. Particularly in the case of Okta, where screenshots purportedly show Okta’s internal tickets and Slack chats.
The Lapsus$ group has been very active in recent months, with several confirmed cases of compromise against very large companies.
According to Bleeping Computer and these companies’ own public statements, NVIDIA, Samsung, Vodafone, Ubisoft and Mercado Libre have all been recent victims of the hacking group, with source code and sensitive data the target.
Okta customers should remain very vigilant until the company releases more information about the incident.