In early June, there were sporadic but serious service disruptions to Microsoft’s flagship office suite — including Outlook email and OneDrive file-sharing apps — and the cloud computing platform. A shady hacktivist group claimed responsibility, saying they flooded the sites with junk traffic through distributed denial-of-service attacks.
Microsoft initially held back from naming the cause, but has now disclosed that DDoS attacks by the obscure upstart were actually responsible.
However, the software giant has provided few details – not immediately commenting on how many customers were affected and whether the impact was global. A spokeswoman confirmed that the group calling itself Anonymous Sudan was behind the attacks. At the time, it acknowledged responsibility on its social media channel Telegram. Some security researchers assume that the group is Russian.
Microsoft’s statement in a blog post Friday night followed a request from The Associated Press two days earlier. The post succinctly states that the attacks “temporarily impacted the availability” of some services. It said the attackers focused on “disruption and public relations,” likely using rented cloud infrastructure and virtual private networks to bomb Microsoft servers from so-called botnets of zombie computers around the world.
Microsoft said there was no evidence that customer data had been accessed or compromised.
While DDoS attacks are mostly a nuisance — rendering websites inaccessible without penetrating them — security experts say that if they successfully disrupt the services of a software services giant like Microsoft, they can disrupt the work of millions of people so much global trade depends on.
It’s not clear if that’s what happened here.
“We really have no way of measuring the impact if Microsoft doesn’t provide this information,” said Jake Williams, a prominent cybersecurity researcher and former National Security Agency offensive hacker. Williams said he wasn’t aware Outlook had been attacked on this scale before.
“We know that some resources were inaccessible to some but not to others. “This often happens with DDoS from globally distributed systems,” Williams added. He said Microsoft’s apparent unwillingness to provide an objective measurement of customer impact “probably shows the magnitude.”
Microsoft has dubbed the attackers Storm-1359, using a label that it assigns to groups it has not yet determined belong to. Cybersecurity detective work typically takes time—and even then, it can be challenging when the adversary is experienced.
Pro-Russian hacker groups, including Killnet — which cybersecurity firm Mandiant says is linked to the Kremlin — are bombing government and other websites owned by Ukraine’s allies with DDoS attacks. In October, some US airport locations were affected. Analyst Alexander Leslie of cybersecurity firm Recorded Future said it was unlikely that Anonymous Sudan would be based in Sudan, an African country, as claimed. The group works closely with Killnet and other pro-Kremlin groups to spread pro-Russian propaganda and disinformation, he said.
Edward Amoroso, NYU professor and CEO of TAG Cyber, said the Microsoft incident makes it clear that DDoS attacks “remain a significant risk that we all agree not to talk about.” Calling this an unresolved issue is not controversial.”
He said Microsoft’s difficulty mitigating this particular attack points to “a single point of failure.” The best protection against these attacks is to massively distribute a service, for example via a content distribution network.
In fact, the techniques used by the attackers are not old, said British security researcher Kevin Beaumont. “One is from 2009,” he said.
Severe impacts were reported from the disruptions to the Microsoft 365 office suite on Monday, June 5, peaking with 18,000 outages and problem reports on the tracker Downdetector just after 11 a.m. Eastern Time.
Microsoft announced on Twitter that day that Outlook, Microsoft Teams, SharePoint Online and OneDrive for Business were affected.
The attacks continued throughout the week, with Microsoft confirming on June 9 that its Azure cloud computing platform was affected.
On June 8, computer security news website BleepingComputer.com reported that cloud-based OneDrive file hosting had been down worldwide for a period of time.
Microsoft said at the time that desktop OneDrive clients were unaffected, BleepingComputer reported.