Microsoft has officially confirmed that the recent outages experienced by Azure, Outlook, and OneDrive were the result of targeted Distributed Denial-of-Service (DDoS) attacks. These attacks were aimed at disrupting the company’s web portals. They have been attributed to a threat actor known as Storm-1359, operating under the name of Anonymous Sudan.
Timeline of the Attacks
The series of outages occurred in early June. With the Outlook.com web portal being targeted on June 7th, followed by OneDrive on June 8th, and finally the Microsoft Azure Portal on June 9th. Although Microsoft did not initially disclose the DDoS attacks, they hinted at their involvement by mentioning load balancing processes to mitigate the issues faced by users.
Microsoft Acknowledges Layer 7 DDoS Attacks
In a preliminary report addressing the root cause of the outages, Microsoft stated that a significant surge in network traffic. It was responsible for the Azure outage. The company elaborated, “We identified a spike in network traffic which impacted the ability to manage traffic to these sites and resulted in the issues for customers to access these sites.”
In a recent post from the Microsoft Security Response Center, the company confirmed that the outages were indeed caused by Layer 7 DDoS attacks executed by the threat actor Storm-1359, whom they have been closely monitoring. Microsoft promptly initiated an investigation upon detecting the traffic surges, subsequently tracking the ongoing DDoS activity by Storm-1359.
Anonymous Sudan’s DDoS Techniques
Anonymous Sudan relies on a combination of multiple virtual private servers (VPS), rented cloud infrastructure, open proxies, and DDoS tools to execute their attacks. These Layer 7 DDoS Microsoft attacks overwhelm the target web services by flooding them with a massive volume of requests. Also rendering them incapable of processing the influx effectively.
Microsoft has identified three specific types of Layer 7 DDoS attacks employed by Anonymous Sudan: HTTP (S) flood attacks, Cache bypass, and Slowloris. Each method aims to exhaust a web service by utilizing all available connections, thereby preventing the acceptance of new requests.
Anonymous Sudan: Who Are They?
While Microsoft tracks this threat actor as Storm-1359, they are more commonly known as Anonymous Sudan. The group emerged in January 2023, issuing warnings of attacks against any country opposing Sudan’s interests. Since then, they have targeted various organizations and government agencies globally, launching DDoS attacks and leaking stolen data.
In May, Anonymous Sudan expanded their targets to larger entities, demanding monetary compensation to cease their attacks. Scandinavian Airlines (SAS) was among their initial targets, with the threat actors demanding $3,500 to halt the DDoS campaign. Subsequently, they shifted their focus to American companies such as Tinder, Lyft, and several hospitals across the USA.
In June, Anonymous Sudan directed their attacks towards Microsoft, specifically targeting the web-accessible portals for Outlook, Azure, and OneDrive. The group demands a substantial sum of $1 million. It is to cease the attacks while criticizing Microsoft’s inability to defend against them. They boldly proposed teaching Microsoft’s cybersecurity experts how to repel the attacks in exchange for the monetary compensation.
The Claims
During the DDoS attacks on Outlook, Anonymous Sudan took claim of their actions. It was because of protest against USA’s involvement in Sudanese politics. The group expressed their continuous campaign against US and American companies and infrastructure due to statements.
