Anatomy of a Breach

Anatomy of a Breach: Lapsus$ — Teenagers Hack Nvidia, Samsung, Microsoft, and Okta Through Social Engineering and MFA Fatigue

> series: anatomy_of_a_breach —— part: 159 —— group: lapsus$ —— targets: nvidia_samsung_microsoft_okta —— method: social_engineering_mfa_fatigue —— ages: teenagers<span class="cursor-blink">_</span>_

Hedgehog Security 31 March 2022 14 min read
lapsus nvidia samsung microsoft okta mfa-fatigue social-engineering teenagers series
Breach #159

Nvidia. Samsung. Microsoft. Okta. Hacked by teenagers. Through social engineering.

In early 2022, a cybercrime group calling itself Lapsus$ conducted a stunning series of breaches against some of the world's largest technology companies. Nvidia lost employee credentials and proprietary GPU design data. Samsung lost 190GB of source code including Galaxy device bootloaders. Microsoft lost 37GB of source code for Bing, Cortana, and other projects. And Okta — an identity and access management provider used by thousands of organisations — was accessed through a compromised third-party support contractor, potentially affecting up to 366 Okta customers.

The group's techniques were primarily social rather than technical: bribing or coercing employees and contractors for credentials, SIM-swapping to intercept SMS-based MFA codes, and 'MFA fatigue' attacks — repeatedly sending push notification MFA prompts to targets in the middle of the night until, exhausted, they approved one. UK police arrested a 16-year-old from Oxford and a 17-year-old in connection with the group. The Lapsus$ cases demonstrated that the most damaging breaches of 2022 were achieved not through zero-days or sophisticated exploits, but through human manipulation.

MFA Fatigue
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Send the push notification 100 times. Eventually they will press 'approve.'

MFA fatigue — also called 'MFA bombing' or 'push spam' — exploits the weakness of push-notification-based MFA. The attacker, having obtained a valid username and password, repeatedly triggers MFA prompts on the target's phone — at 2am, 3am, 4am — until the target, confused or exhausted, approves one to stop the notifications. The technique bypasses MFA without defeating it technically — it exploits human tolerance instead.

Push-Based MFA Can Be Fatigued
Lapsus$ demonstrated that push-notification MFA — while better than no MFA — is vulnerable to fatigue attacks. <a href="/cyber-essentials">Cyber Essentials Danzell</a> recommends number-matching MFA (where the user must enter a code displayed on the login screen) or FIDO2/hardware tokens, which cannot be fatigued. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> evaluates MFA implementation resilience.
Teenagers — Again
A 16-year-old from Oxford and a 17-year-old were arrested — continuing the pattern of teenage attackers from <a href="/blog/anatomy-of-a-breach-talktalk">TalkTalk</a> (15-year-old, 2015) and the <a href="/blog/anatomy-of-a-breach-twitter-hack">Twitter hack</a> (17-year-old, 2020). The barrier to entry for social engineering attacks is effectively zero.
Insider Recruitment and Bribery
Lapsus$ openly advertised on Telegram for employees of target companies willing to provide credentials or access — offering payment for insider assistance. This insider recruitment model bypasses technical controls entirely. <a href="/penetration-testing/social-engineering">Social engineering assessments</a> test insider recruitment resilience.
Okta: Identity Provider Compromised
The Okta breach — through a third-party contractor — was particularly concerning because Okta manages identity and access for thousands of organisations. Compromising an identity provider creates cascading supply chain risk. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for anomalous identity provider activity.
Lessons

MFA is essential but not infallible. Implementation matters.

Lapsus$ proved that MFA, while essential, must be implemented correctly to be effective. Push-notification MFA is vulnerable to fatigue attacks; SMS-based MFA is vulnerable to SIM-swapping. Phishing-resistant MFA — FIDO2 hardware tokens, passkeys, and number-matching push notifications — resists these techniques. Cyber Essentials Danzell addresses MFA implementation quality. Our social engineering testing includes MFA bypass assessment. SOC in a Box monitors for MFA fatigue patterns. And UK Cyber Defence provides incident response when social engineering succeeds.

MFA Implementation

Lapsus$ bypassed MFA through fatigue attacks. Is your MFA implementation phishing-resistant?

<a href="/cyber-essentials">Cyber Essentials</a> addresses MFA quality. <a href="/penetration-testing/social-engineering">Social engineering testing</a> assesses MFA bypass. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects MFA fatigue.

Commission a Social Engineering Test Next: Ronin Network
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 September 2022

Anatomy of a Breach: Uber Breached Again — A Teenager, MFA Fatigue, and Full Internal Access

Breach #165. On 15 September 2022, Uber was breached again — this time by a teenager affiliated with the Lapsus$ group who used MFA fatigue (repeatedly sending push notifications to an employee) combined with social engineering (contacting the employee via WhatsApp, pretending to be IT support) to gain access. Once inside, the attacker accessed Uber's Slack, Google Workspace, HackerOne bug bounty reports, source code repositories, and internal dashboards — posting a message in Uber's Slack announcing the breach. The attack came five years after the 2016 breach that Uber had covered up and that resulted in the CSO's criminal conviction.

uber mfa-fatigue
13 min read
Anatomy of a Breach 31 January 2024

Anatomy of a Breach: Microsoft — Russia's Midnight Blizzard Reads Executives' Email Through a Legacy OAuth App

Breach #181. In January 2024, Microsoft disclosed that Midnight Blizzard (Nobelium/APT29, Russia's SVR foreign intelligence service — the same group behind SolarWinds) had accessed the email accounts of Microsoft's senior leadership, cybersecurity staff, and legal teams. The attack began in November 2023 via password spraying against a legacy test tenant account that lacked MFA. The compromised account had permissions to a legacy OAuth application, which the attackers used to gain access to Microsoft's corporate email. The world's largest technology company — maker of the software that runs most of the world's businesses — was compromised through a test account with no MFA.

microsoft midnight-blizzard
14 min read
Anatomy of a Breach 30 September 2023

Anatomy of a Breach: MGM Resorts and Caesars — Scattered Spider's $100 Million Social Engineering Campaign Against Las Vegas

Breach #177. In September 2023, two of Las Vegas's largest casino operators were hit within days of each other. Caesars Entertainment paid approximately $15 million in ransom after the Scattered Spider group stole its loyalty programme database. MGM Resorts refused to pay and suffered a ten-day operational shutdown — with hotel room keys, slot machines, reservation systems, and even ATMs failing across its Las Vegas properties. MGM estimated the total cost at over $100 million. Both attacks began with social engineering: a phone call to the IT help desk, impersonating an employee identified through LinkedIn. The same technique that compromised Twitter in 2020 and Uber in 2022.

mgm-resorts caesars
15 min read
All Posts Get in Touch