Microsoft has confirmed that recent outages to Azure, Outlook, and OneDrive web portals resulted from Layer 7 DDoS attacks against the company’s services.
The attacks are being attributed to a threat actor tracked by Microsoft as Storm-1359, who calls themselves Anonymous Sudan.
The outages occurred at the beginning of June, with Outlook.com’s web portal targeted on June 7th, OneDrive on June 8th, and the Microsoft Azure Portal on June 9th.
Microsoft did not share at the time that they were suffering DDoS attacks but hinted that they were the cause, stating for some incidents that they were “applying load balancing processes in order to mitigate the issue.”
In a preliminary root cause report released last week, Microsoft further hinted at DDoS attacks, stating that a spike in network traffic caused the Azure outage.
“We identified a spike in network traffic which impacted the ability to manage traffic to these sites and resulted in the issues for customers to access these sites,” explained Microsoft.
In a Microsoft Security Response Center post released on Friday, Microsoft now confirms that these outages were caused by a Layer 7 DDoS attack against their services by a threat actor they track as Storm-1359.
“Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability. Microsoft promptly opened an investigation and subsequently began tracking ongoing DDoS activity by the threat actor that Microsoft tracks as Storm-1359,” confirmed Microsoft.
“These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools.”
“We have seen no evidence that customer data has been accessed or compromised.”
A Layer 7 DDoS attack is when the threat actors target the application level by overwhelming services with a massive volume of requests, causing the services to hang as they cannot process them all.
Microsoft says Anonymous Sudan uses three types of Layer 7 DDoS attacks: HTTP (S) flood attacks, Cache bypass, and Slowloris.
Each DDoS method overwhelms a web service, using up all available connections so they can no longer accept new requests.
While Microsoft tracks the threat actors as Storm-1359, they are more commonly known as Anonymous Sudan.
Anonymous Sudan launched in January 2023, warning that they would conduct attacks against any country that opposes Sudan.
Since then, the group has targeted organizations and government agencies worldwide, taking them down in DDoS attacks or leaking stolen data.
Starting in May, the group has targeted large organizations, demanding payments to stop the attacks. The attacks first targeted Scandinavian Airlines (SAS), with the threat actors demanding $3,500 to stop the DDoS attacks.
The group later targeted the websites for American companies, such as Tinder, Lyft, and various hospitals throughout the USA.
In June, Anonymous Sudan turned their attention to Microsoft, where they began DDoS attacks on web-accessible portals for Outlook, Azure, and OneDrive, demanding $1 million to stop the attacks.
“You have failed to repel the attack which has continued for hours, so how about you pay us 1,000,000 USD and we teach your cyber-security experts how to repel the attack and we stop the attack from our end? 1 million USD is peanuts for a company like you,” demanded the group.
During the DDoS attacks on Outlook, the group said they were being conducted in protests of the USA’s involvement in Sudanese politics.
“This is a continuous campaign against US/American companies & infrastructure because of the statement of the US Secretary of State saying there is a possibility of American invasion of Sudan,” stated Anonymous Sudan.
However, some cybersecurity researchers believe this is a false flag and that the group might be linked to Russia instead.
This link may have become further apparent this week, with the group claiming to form a “DARKNET parliament” consisting of other pro-Russia groups, such as KILLNET and “REvil.”
“72 hours ago, three heads of hacker groups from Russia and Sudan held a regular meeting in the DARKNET parliament, and came to a common decision,” warned the group about impending attacks on European banking infrastructure.
“Today we are starting to impose sanctions on the European banking transfer systems SEPA, IBAN, WIRE, SWIFT, WISE.”
While there has been no indication that attacks on European banking systems have started, the group has demonstrated that they have significant resources at their disposal, and financial institutions should be on alert for potential disruption.
Bleeping Computer
"*" indicates required fields
Software Asset Management is a business practice that involves managing and optimising the life cycle of software within an organisation.
Software asset management is relevant to many facets of a business - take a look at some of the roles that it can form part of the focus of.
Software vendors come in all shape and sizes - all with their own set of licensing models and rules. We take a look at just a few of them.
As a constantly evolving subject, SAM is not without its challenges. We take a look at some of the most common ones.
Wondering what an investment in SAM could do for your business? Fill out a few details and find out what return you could get!
Answer a few questions about your SAM infrastructure & experience, and we'll put together a personalised recommendation for the future.
A simple health check of what's being used across your Office 365 estate in this FREE, Microsoft backed and easy to setup review.
Just like you would with your vehicle each year, get an annual check up of your software asset management programme.
Overwhelmed by the task of documenting the steps for a successful SAM programme? Get the experts in to help!
Concerned your SAM tools aren't covering your whole estate? Or on the look out for an entirely new tool? Get us in to assist.
Not content with covering all things SAM related, we've teamed up with Capital to provide a comprehensive hardware asset management review.
A simple, one-time reconciliation of the software you have deployed versus the licence entitlement you own.
A regularly scheduled analysis of your organisation's estate, specifically adapted to your needs and budget.
A full appraisal of your Microsoft 365 setup and how best to optimise it through automated recommendations.
An add-on to our SAMplicity One, MOT and Plus offerings, quickly diagnose your ability to migrate your resources to the cloud.
In collaboration with law firm Addleshaw Goddard, ensure the legality of your SAM programme and get assistance with any contract disputes.
Available as standard with SAMplicity Plus, ensure you're compliant if you're unexpectedly audited by a vendor.
We've teamed up with some of the forefront experts in licensing knowledge so you can teach yourself to be an expert too.
Stumped by the continually evolving complexities of SAM? Join us for one of our comprehensive courses, either in-person or online.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!