Microsoft has confirmed that recent outages to Azure, Outlook, and OneDrive web portals resulted from Layer 7 DDoS attacks against the company’s services.
The attacks are being attributed to a threat actor tracked by Microsoft as Storm-1359, who calls themselves Anonymous Sudan.
The outages occurred at the beginning of June, with Outlook.com’s web portal targeted on June 7th, OneDrive on June 8th, and the Microsoft Azure Portal on June 9th.
Microsoft did not share at the time that they were suffering DDoS attacks but hinted that they were the cause, stating for some incidents that they were “applying load balancing processes in order to mitigate the issue.”
In a preliminary root cause report released last week, Microsoft further hinted at DDoS attacks, stating that a spike in network traffic caused the Azure outage.
“We identified a spike in network traffic which impacted the ability to manage traffic to these sites and resulted in the issues for customers to access these sites,” explained Microsoft.
In a Microsoft Security Response Center post released on Friday, Microsoft now confirms that these outages were caused by a Layer 7 DDoS attack against their services by a threat actor they track as Storm-1359.
“Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability. Microsoft promptly opened an investigation and subsequently began tracking ongoing DDoS activity by the threat actor that Microsoft tracks as Storm-1359,” confirmed Microsoft.
“These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools.”
“We have seen no evidence that customer data has been accessed or compromised.”
A Layer 7 DDoS attack is when the threat actors target the application level by overwhelming services with a massive volume of requests, causing the services to hang as they cannot process them all.
Microsoft says Anonymous Sudan uses three types of Layer 7 DDoS attacks: HTTP (S) flood attacks, Cache bypass, and Slowloris.
Each DDoS method overwhelms a web service, using up all available connections so they can no longer accept new requests.
While Microsoft tracks the threat actors as Storm-1359, they are more commonly known as Anonymous Sudan.
Anonymous Sudan launched in January 2023, warning that they would conduct attacks against any country that opposes Sudan.
Since then, the group has targeted organizations and government agencies worldwide, taking them down in DDoS attacks or leaking stolen data.
Starting in May, the group has targeted large organizations, demanding payments to stop the attacks. The attacks first targeted Scandinavian Airlines (SAS), with the threat actors demanding $3,500 to stop the DDoS attacks.
The group later targeted the websites for American companies, such as Tinder, Lyft, and various hospitals throughout the USA.
In June, Anonymous Sudan turned their attention to Microsoft, where they began DDoS attacks on web-accessible portals for Outlook, Azure, and OneDrive, demanding $1 million to stop the attacks.
“You have failed to repel the attack which has continued for hours, so how about you pay us 1,000,000 USD and we teach your cyber-security experts how to repel the attack and we stop the attack from our end? 1 million USD is peanuts for a company like you,” demanded the group.
During the DDoS attacks on Outlook, the group said they were being conducted in protests of the USA’s involvement in Sudanese politics.
“This is a continuous campaign against US/American companies & infrastructure because of the statement of the US Secretary of State saying there is a possibility of American invasion of Sudan,” stated Anonymous Sudan.
However, some cybersecurity researchers believe this is a false flag and that the group might be linked to Russia instead.
This link may have become further apparent this week, with the group claiming to form a “DARKNET parliament” consisting of other pro-Russia groups, such as KILLNET and “REvil.”
“72 hours ago, three heads of hacker groups from Russia and Sudan held a regular meeting in the DARKNET parliament, and came to a common decision,” warned the group about impending attacks on European banking infrastructure.
“Today we are starting to impose sanctions on the European banking transfer systems SEPA, IBAN, WIRE, SWIFT, WISE.”
While there has been no indication that attacks on European banking systems have started, the group has demonstrated that they have significant resources at their disposal, and financial institutions should be on alert for potential disruption.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!