DDoS Attacks Culprit of Recent Azure, Microsoft 365 OutagesLikely Pro-Russian Group 'Anonymous Sudan' Behind Attack
Weeks of outages plaguing Azure and Microsoft 365 stem from DDoS attacks carried out by a pro-Russian hacktivist group, Microsoft admitted late Friday.
The computing giant said a threat actor since early June has launched DDoS attacks from multiple cloud services and open proxy infrastructures thanks to its collection of botnets. The attacks likely rely on access to multiple virtual private servers as well as rented cloud infrastructure, open proxies and DDoS tools, Microsoft said in a little-publicized blog post.
Microsoft tracks the responsible threat actor as Storm-1359. It said the group appears to be focused on disruption and publicity. Until Friday, Microsoft has treated the outages as a technical issues, writing about a June 9 Azure outage that "internal telemetry reported an anomaly with increased request rates."
The company uses a "Storm" tag for threat actors when there is a newly discovered, unknown, emerging or developing cluster of threat activity. A self-identified DDoS hacktivist group calling itself "Anonymous Sudan" claimed responsibility for the attacks in multiple posts throughout this month on its Telegram channel. A Microsoft spokesperson confirmed to The Associated Press that the group is behind the hacks (see: Breach Roundup: Amazon Settles US FTC Investigations).
Anonymous Sudan coalesced in January and previously carried out a series of DDoS attacks against Swedish, Dutch, Australian and German organizations, purportedly in retaliation for anti-Muslim activity that had taken place in those countries.
Swedish cybersecurity firm Truesec concluded in February that Anonymous Sudan is most likely a Russian information operation. Trustwave in March found "a very strong possibility that Anonymous Sudan is a subgroup of the pro-Russian threat actor group Killnet."
"Anonymous Sudan's preferred attack vector is DDoS attacks, the attack type that Killnet has conducted," Trustwave wrote March 30. "Other circumstantial evidence pointing toward a Russian connection is that the Anonymous Sudan Telegram posts are mostly in Russian (with some in English), and the targets are all nations that support Ukraine in its fight against Russia."
Microsoft said the threat actor has been using three types of application-layer DDoS attacks. One type sends out millions of HTTPs requests that are distributed across the globe from different source IPs, causing the system back end to run out of processing and memory resources.
Storm-1359 also sends a series of queries against generated URLs that overload the origin servers by forcing the front-end layer to forward all requests to the origin rather than serving from cached contents. The threat actor also opens a connection to a web server and requests a resource, but it fails to acknowledge the download, forcing the server to keep the resource in memory.
Microsoft tuned Azure Web Application Firewall to better protect customers from the impact of similar DDoS attacks and said its protections are highly effective at mitigating the majority of disruptions. Customers using Azure WAF should block, rate limit or redirect traffic from outside a defined geographic region to help protect web applications, according to Microsoft.
The company said it hasn't seen any evidence of customer data being accessed or compromised. But Microsoft's blog post doesn't say how many customers were affected by the service disruptions, the severity of the impact, and whether it was global. Customers first reported service interruptions to the Microsoft 365 Office suite on June 5.