Microsoft has confirmed that recent outages of Azure web portals, Outlook, and OneDrive were the result of Layer 7 DDoS attacks against company services.

The attacks are attributed to a threat actor tracked by Microsoft as Storm-1359, who goes by the name Anonymous Sudan.

The outages occurred in early June, with Outlook.com web portal targeted on June 7, OneDrive on June 8and the Microsoft Azure Portal June 9.

Microsoft did not share at the time that they were experiencing DDoS attacks, but hinted that they were the cause, saying for some incidents that they “apply load balancing processes to mitigate the problem”.

In a preliminary root cause report released last week, Microsoft further hinted at DDoS attacks, stating that a spike in network traffic caused Azure to crash.

“We identified a spike in network traffic that impacted the ability to handle traffic to these sites and caused issues for customers accessing these sites,” Microsoft explained.

In a Microsoft Security Response Center article published on Friday, Microsoft now confirms that these outages were caused by a Layer 7 DDoS attack against their services by a threat actor they are tracking as Storm-1359.

“As of early June 2023, Microsoft has identified increases in traffic against certain services that temporarily affected availability. Microsoft promptly opened an investigation and subsequently began tracking ongoing DDoS activity by the threat actor Microsoft is tracking as Storm-1359,” Microsoft confirmed.

“These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with leased cloud infrastructure, open proxies, and DDoS tools.”

“We saw no evidence that customer data was accessed or compromised.”

A Layer 7 DDoS attack occurs when threat actors target the application level by overwhelming services with a massive volume of requests, causing services to crash because they cannot process them all.

According to Microsoft, Anonymous Sudan uses three types of Layer 7 DDoS attacks: HTTP(S) flooding attacks, cache bypassing, and Slowloris.

Each DDoS method overwhelms a web service, using all available connections so that it can no longer accept new requests.

Who is Sudan Anonymous?

While Microsoft is tracking the threat actors as Storm-1359, they are more commonly known as Sudan Anonymous.

Anonymous Sudan was launched in January 2023, warning that they would carry out attacks against any country that opposes Sudan.

Since then, the group has targeted organizations and government agencies around the world, taking them out in DDoS attacks or leaking stolen data.

Starting in May, the group targeted large organizations, demanding payments to stop the attacks. Attacks first targeted Scandinavian Airlines (SAS), with threat actors demanding $3,500 to stop DDoS attacks.

The group then targeted the websites of American companies, such as Tinder, Lyft and various hospitals across the United States.

In June, Anonymous Sudan turned to Microsoft, where they launched DDoS attacks on web-accessible portals for Outlook, Azure and OneDrive, demanding $1 million to stop the attacks.

“You failed to fend off the attack which has been going on for hours, so how about you pay us $1,000,000 and we teach your cyber security experts how to fend off the attack and we stop the attack from our side? 1 million USD, it’s peanuts for a company like you”, asks the group.

In the DDoS attacks on Outlook, the group said they were carried out to protest against US involvement in Sudanese politics.

“This is an ongoing campaign against US/American businesses and infrastructure due to the US Secretary of State’s statement that there is a possibility of a US invasion of Sudan,” Anonymous Sudan said.

However, some cybersecurity researchers believe this is a false flag and the group could be related to russia instead.

This connection may have become even more evident this week, with the group claiming to form a “DARKNET parliament” made up of other pro-Russian groups, such as KILLNET and “REvil”.

“72 hours ago, three leaders of hacker groups from Russia and Sudan held a regular meeting in the DARKNET parliament and reached a common decision,” the group warned of the impending attacks on European banking infrastructure.

“Today we start imposing sanctions on the European bank transfer systems SEPA, IBAN, WIRE, SWIFT, WISE.”

Although there is no indication that attacks on European banking systems have begun, the group has shown that it has significant resources and that financial institutions must be vigilant in the event of potential disruption.