author photo
By Cam Sivesind
Tue | Jun 20, 2023 | 12:30 PM PDT

In a Friday blog post, Microsoft blamed a battery of service outages of its Azure, Outlook, and OneDrive platforms in early June on "access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools."

The tech giant blamed the ongoing DDoS activity on a threat actor it tracks as Storm-1359, believed to be the responsibility of—though not confirmed—a group known as Anonymous Sudan. The group is responsible for DDoS attacks against Swedish, Dutch, Australian, and German organizations since early 2023.

A blog post in March from SpiderLabs Research dug into the group, believed to be tied to pro-Russian threat actor Killnet. The group's targets are all Ukraine-friendly states or organizations.

"The Trustwave SpiderLabs research team has been tracking a new threat group calling itself Anonymous Sudan, which has carried out a series of Distributed Denial of Service (DDoS) attacks against Swedish, Dutch, Australian, and German organizations purportedly in retaliation for anti-Muslim activity that had taken place in those countries.

However, a deeper dive into the group indicates a very strong possibility that Anonymous Sudan is a sub-group of the Pro-Russian threat actor group Killnet, a group with which Anonymous Sudan has publicly aligned itself.

SpiderLabs cannot confirm that the group is based in Sudan, nor if any of its members are from that nation, but based on the evidence available, it seems quite likely that Anonymous Sudan is a Killnet project, possibly including some Eastern European members."

Col. Cedric Leighton, CNN Military Analyst, U.S. Air Force (Ret.), and Chairman, Cedric Leighton Associates, said these attacks are consistent with Russia's modus operandi. Leighton said:

"The massive DDoS attack affecting Azure, Outlook, and OneDrive really fits with previous Russian efforts to target pro-Ukrainian entities in Europe and the U.S. The attack is not surprising given the fact that Microsoft provided a great deal of support to Ukraine as it responded to Russian orchestrated cyberattacks that were conducted in concert with Russia's invasion of Ukraine in February of last year. I think we're seeing the confluence between Russian cybercriminals and state-sponsored actors. The Russian intelligence services are most likely behind KillNet. Their goal is to disrupt Western efforts to support Ukraine and attack Microsoft services that help to provide that support. From this we can also see that these attacks are becoming more and more sophisticated."

More from the SpiderLabs blog post:

"There are numerous clues left behind by Anonymous Sudan pointing toward the group being associated in some manner with Killnet. The primary indicator is that Anonymous Sudan's preferred attack vector is DDoS attacks, the attack type that Killnet has conducted. Other circumstantial evidence pointing toward a Russian connection is that the Anonymous Sudan Telegram posts are mostly in Russian (with some in English), and the targets are all nations that support Ukraine in its fight against Russia."

In a June 16 blog from Microsoft addressing the DDoS attacks, the company said it has seen no evidence that customer data was accessed or compromised. From the post:

"This recent DDoS activity targeted layer 7 rather than layer 3 or 4. Microsoft hardened layer 7 protections including tuning Azure Web Application Firewall (WAF) to better protect customers from the impact of similar DDoS attacks. While these tools and techniques are highly effective at mitigating the majority of disruptions, Microsoft consistently reviews the performance of its hardening capabilities and incorporates learnings into refining and improving their effectiveness.

Customers should review the technical details and recommended actions section of this blog to increase the resilience of their environments to help mitigate similar attacks."

See the post for technical details, including the types of DDoS attack traffic, such as HTTP(S) flood attack, cache bypass, and Slowloris. It also provides Layer 7 DDoS protection tips.

Mike Parkin, Senior Technical Engineer at Vulcan Cyber, offered his perspective on the incident:

"Attacks like this show that even large organizations like Microsoft, with substantial computing and bandwidth resources, can suffer from distributed denial of service (DDoS) attacks. It can be especially problematic when the attackers are leveraging one of the techniques that relies on application behavior rather than raw volume.

Given the ongoing geopolitical situation, it's not a surprise that a threat actor with ties to Russia seems to be behind the attack.  Hopefully, Microsoft will be able to mitigate the attack and reduce the impact on their large user base the next time it happens."

John Bambenek, Principal Threat Hunter at Netenrich, said:

"With the movement to cloud services, attackers have adapted and increased their scale of attacks to create outsized impact. Layer 7 attacks are the trickiest because it can be hard to distinguish between authentic and inauthentic traffic and there is great resistance to slow down legitimate users."