Microsoft has confirmed that recent outages to Azure, Outlook, and OneDrive web portals resulted from Layer 7 DDoS attacks against the company's services.
The attacks are being attributed to a threat actor tracked by Microsoft as Storm-1359, who calls themselves Anonymous Sudan.
The outages occurred at the beginning of June, with Outlook.com's web portal targeted on June 7th, OneDrive on June 8th, and the Microsoft Azure Portal on June 9th.
Microsoft did not share at the time that they were suffering DDoS attacks but hinted that they were the cause, stating for some incidents that they were "applying load balancing processes in order to mitigate the issue."
In a preliminary root cause report released last week, Microsoft further hinted at DDoS attacks, stating that a spike in network traffic caused the Azure outage.
"We identified a spike in network traffic which impacted the ability to manage traffic to these sites and resulted in the issues for customers to access these sites," explained Microsoft.
In a Microsoft Security Response Center post released on Friday, Microsoft now confirms that these outages were caused by a Layer 7 DDoS attack against their services by a threat actor they track as Storm-1359.
"Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability. Microsoft promptly opened an investigation and subsequently began tracking ongoing DDoS activity by the threat actor that Microsoft tracks as Storm-1359," confirmed Microsoft.
"These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools."
"We have seen no evidence that customer data has been accessed or compromised."
A Layer 7 DDoS attack is when the threat actors target the application level by overwhelming services with a massive volume of requests, causing the services to hang as they cannot process them all.
Microsoft says Anonymous Sudan uses three types of Layer 7 DDoS attacks: HTTP (S) flood attacks, Cache bypass, and Slowloris.
Each DDoS method overwhelms a web service, using up all available connections so they can no longer accept new requests.
Who is Anonymous Sudan?
While Microsoft tracks the threat actors as Storm-1359, they are more commonly known as Anonymous Sudan.
Anonymous Sudan launched in January 2023, warning that they would conduct attacks against any country that opposes Sudan.
Since then, the group has targeted organizations and government agencies worldwide, taking them down in DDoS attacks or leaking stolen data.
Starting in May, the group has targeted large organizations, demanding payments to stop the attacks. The attacks first targeted Scandinavian Airlines (SAS), with the threat actors demanding $3,500 to stop the DDoS attacks.
The group later targeted the websites for American companies, such as Tinder, Lyft, and various hospitals throughout the USA.
In June, Anonymous Sudan turned their attention to Microsoft, where they began DDoS attacks on web-accessible portals for Outlook, Azure, and OneDrive, demanding $1 million to stop the attacks.
"You have failed to repel the attack which has continued for hours, so how about you pay us 1,000,000 USD and we teach your cyber-security experts how to repel the attack and we stop the attack from our end? 1 million USD is peanuts for a company like you," demanded the group.
During the DDoS attacks on Outlook, the group said they were being conducted in protests of the USA's involvement in Sudanese politics.
"This is a continuous campaign against US/American companies & infrastructure because of the statement of the US Secretary of State saying there is a possibility of American invasion of Sudan," stated Anonymous Sudan.
However, some cybersecurity researchers believe this is a false flag and that the group might be linked to Russia instead.
This link may have become further apparent this week, with the group claiming to form a "DARKNET parliament" consisting of other pro-Russia groups, such as KILLNET and "REvil."
"72 hours ago, three heads of hacker groups from Russia and Sudan held a regular meeting in the DARKNET parliament, and came to a common decision," warned the group about impending attacks on European banking infrastructure.
"Today we are starting to impose sanctions on the European banking transfer systems SEPA, IBAN, WIRE, SWIFT, WISE."
While there has been no indication that attacks on European banking systems have started, the group has demonstrated that they have significant resources at their disposal, and financial institutions should be on alert for potential disruption.
Comments
LIstrong - 1 year ago
It seems like this is a highly coordinated strategic attack. So their comment about football may relate more to American gridiron football, rather than European soccer. But perhaps that’s the solution too. We need cybersecurity linebackers.
LIstrong - 1 year ago
Also the punctuation and the choice of word ‘Dominion’ might be important clues. Typically only native English speakers use complex punctuation. The word Dominion has an Arabic equivalent. Sudanese speak Arabic. But in Farsi, Dominion means territory. So likely not Farsi speaking. Russia has 3 different words that mean Dominion. Also the way the number 1,000,000 is written may differ from Russian numerals which use decimal points, not commas. Arabic and Farsi may also use commas in numerals. But the way it was written out with number instead of the word 1 Million seems intentional. Russia may write it the way Americans do with the word instead of the number. I suspect this was written by a native English speaker, especially with colloquials like ‘peanuts’.
h_b_s - 1 year ago
"Also the punctuation and the choice of word ‘Dominion’ might be important clues. Typically only native English speakers use complex punctuation. The word Dominion has an Arabic equivalent. Sudanese speak Arabic. But in Farsi, Dominion means territory. So likely not Farsi speaking. Russia has 3 different words that mean Dominion. Also the way the number 1,000,000 is written may differ from Russian numerals which use decimal points, not commas. Arabic and Farsi may also use commas in numerals. But the way it was written out with number instead of the word 1 Million seems intentional. Russia may write it the way Americans do with the word instead of the number. I suspect this was written by a native English speaker, especially with colloquials like ‘peanuts’. "
Language analysis in determining point of origin from a statement is weak at best even if it's a credentialed expert doing so instead of some random person from the Internet. Anyone could have written that statement and tailored its grammar with forethought, or no one at all.
LIstrong - 1 year ago
On June 8 WaPo published an article about how Saudi Arabia was threatening economic injury to the U.S. Same day Microsoft is attacked.
Some brand new “security researcher” assigns attribution to Russia and MSM runs with it. Despite no proof. Sudan has a much closer relationship to Saudi than to Russia.
“When someone shows you who they are believe them the first time”. Never doubt Saudi’s ability to hurt us.
Another thing to consider the MOVEIt attacks last week hit Shell Oil. No other global company was attacked. Sudan is oil producing and is a member of OPEC. She’ll doesn’t drill in Sudan.
Pattern recognition is necessary to excel in Cybersecurity. So too is current events. If you don’t know what’s going on with Biden vs Saudi and OPEC, you might want to get caught up.
darylzero - 1 year ago
Could this have been why on 6/9 we had a bunch of emails go to quarantine from multiple different domains that have emailed us daily in the past?
thatirish - 1 year ago
Recent reports indicate the Wagner group is tied to the trouble in Sudan. In that case probably Russia is as well.
NoneRain - 1 year ago
Strange enough, MS has the capability to protect itself from DDOS.
LIstrong - 1 year ago
Their systems saw it as legit traffic. Says they were actively load balancing.
There’s 80,000 Americans living/working in Saudi. All knowledge workers. Many aged out from US big tech companies.
This was an embarrassment and a warning.
Could your company survive without Microsoft? If not, then figure out how to.