A series of DDoS attacks against Microsoft earlier this month led to disruptions across multiple services including Azure, OneDrive and Outlook, the company said in a blog post Friday.
The attacks were committed by a threat group likely using multiple virtual private servers, in tandem with rented cloud infrastructure, open proxies and DDoS tools.
There was no evidence customer data was accessed or compromised, according to Microsoft.
Microsoft customers received error messages on June 9 when trying to access the Azure portal. That disruption also impacted access to Microsoft Entra admin center and Microsoft Intune. Earlier in the week, a series of outages disrupted service to OneDrive, Outlook, SharePoint and Teams.
Microsoft researchers identified the threat actor under its unique nomenclature as Storm-1359, which is otherwise known as Anonymous Sudan. The hacktivist group had previously claimed credit for the attacks, and Microsoft previously confirmed it was aware of those threats.
The recent DDoS attacks targeted layer 7 rather than layer 3 or 4. L7 DDoS attacks target elements of an application's server infrastructure, according to the Cybersecurity and Infrastructure Security Agency. "Layer 7 attacks are especially complex, stealthy and difficult to detect because they resemble legitimate website traffic."
L3 or L4 attacks target the network and transport layers, respectively, which use high volumes of data to slow or overwhelm network performance, CISA says.
Microsoft said it has hardened L7 protections, including tuning its Azure Web Application Firewall, to better protect customers against future DDoS attacks.
Storm-1359 has access to botnets and tools, which allow it to launch attacks from multiple cloud services and open proxy infrastructures, Microsoft said. Storm-1359 has been observed launching several types of L7 attacks:
- HTTP(S) flood attack, where the attack tries to exhaust system resources with a high load of SSL/TLS handshakes and HTTP(S) requests. The attacks are committed by millions of requests from millions of different source IPs around the globe.
- Cache bypass, where the attack bypasses the CDN layer and overloads origin servers.
- Slowloris, where a client opens a connection to a web server, requests resources — for example, an image — and either fails to acknowledge the download or accepts the download slowly.
Researchers have previously connected Anonymous Sudan to the work of a subgroup of the Russia-linked hacktivist group Killnet.
Anonymous Sudan has recently taken credit for other disruptions, including UPS. A UPS spokesperson said the company had a brief disruption earlier in the month with no impact to customers. The company is investigating the cause.
Researchers from TrueSec say the group Killnet has been hyping its capabilities of late, and may have added a former junior member of REvil to its operations. Killnet and Anonymous Sudan announced recently a plot to take down the international banking system.