Microsoft faced significant service disruptions in early June, affecting their flagship office suite, including Outlook email and OneDrive file-sharing apps, as well as their cloud computing platform. A hacktivist group called Anonymous Sudan claimed responsibility for these disruptions, conducting distributed denial-of-service (DDoS) attacks by flooding the sites with junk traffic.
Initially, Microsoft was hesitant to reveal the cause but has now confirmed that the DDoS attacks from the aforementioned group were indeed responsible. However, the company has provided limited details and did not immediately comment on the number of affected customers or the global impact. Microsoft confirmed that Anonymous Sudan was behind the attacks, as claimed by the group on its Telegram social media channel. Some security researchers suspect the group to have ties to Russia.
Following a request by The Associated Press, Microsoft published an explanation in a blog post on Friday evening. However, the post lacked specific information, stating that the attacks temporarily affected the availability of some services. It also mentioned that the attackers aimed for disruption and publicity, likely utilizing rented cloud infrastructure and virtual private networks to bombard Microsoft servers using botnets comprised of infected computers worldwide.
Microsoft clarified that there was no evidence of customer data being accessed or compromised during the attacks. While DDoS attacks primarily cause inconvenience by rendering websites unreachable, experts emphasize that they can still disrupt the work of millions, especially if they successfully interrupt the services of major software service providers like Microsoft, which play a crucial role in global commerce.
The extent of the impact caused by the attacks on Microsoft's services remains unclear.
“We really have no way to measure the impact if Microsoft doesn’t provide that info,” said Jake Williams, a prominent cybersecurity researcher and a former National Security Agency offensive hacker. Williams said he was not aware of Outlook previously being attacked at this scale.
“We know some resources were inaccessible for some, but not others. This often happens with DDoS of globally distributed systems,” Williams added. He said Microsoft’s apparent unwillingness to provide an objective measure of customer impact “probably speaks to the magnitude.”
Microsoft referred to the attackers as Storm-1359, a designation used for groups whose affiliation with the company is yet to be established. Determining the identity of adversaries in cybersecurity investigations can be a time-consuming challenge, particularly when they possess advanced skills.
Pro-Russian hacking groups, including Killnet, which cybersecurity firm Mandiant links to the Kremlin, have been conducting DDoS attacks on government and other websites affiliated with Ukraine's allies. In October, some U.S. airport sites were targeted. Analyst Alexander Leslie from Recorded Future, a cybersecurity firm, stated that it is unlikely for Anonymous Sudan to be located in Sudan, as they claim, and suggested that the group collaborates closely with Killnet and other pro-Kremlin groups to disseminate pro-Russian propaganda and disinformation.
Edward Amoroso, CEO of TAG Cyber and a professor at NYU, emphasized that the Microsoft incident highlights the ongoing and “a significant risk that we all just agree to avoid talking about. It’s not controversial to call this an unsolved problem". He suggested that the best defense against such attacks is to distribute services widely, such as by utilizing a content distribution network.
Security researcher Kevin Beaumont noted that the techniques employed by the attackers are not new, with one dating back to 2009.
On Monday, June 5, serious impacts from the Microsoft 365 office suite interruptions were reported, reaching a peak of 18,000 outage and problem reports on the Downdetector tracker shortly after 11 a.m. Eastern time.
Microsoft acknowledged the disruption of services, including Outlook, Microsoft Teams, SharePoint Online, and OneDrive for Business. The attacks persisted throughout the week, and Azure, Microsoft's cloud computing platform, was confirmed to have been affected on June 9. During this time, OneDrive's cloud-based file-hosting experienced a global outage, although the desktop clients remained unaffected.
