June 19, 2023

Microsoft has confirmed that recent disruptions to its Azure, Outlook, and OneDrive web portals were the result of Layer 7 DDoS attacks carried out by the threat actor Storm-1359, who goes by the name Anonymous Sudan.

Layer 7 DDoS attacks focus on overwhelming the application layer by bombarding services with an overwhelming volume of requests, causing the services to become unresponsive. Anonymous Sudan, also known as Storm-1359, employs three specific types of Layer 7 DDoS attacks: HTTP(S) flood attacks, Cache bypass, and Slowloris. Each method aims to exhaust the web service’s available connections, rendering it unable to accept new requests.

The attacks began in early June 2023, and targeted Microsoft’s web-accessible portals for Outlook, Azure, and OneDrive. Anonymous Sudan demanded a payment of $1 million to cease the attacks.

Microsoft revealed that the attackers likely employed multiple virtual private servers (VPS), rented cloud infrastructure, open proxies, and DDoS tools to carry out the attacks. However, there is no evidence to suggest that customer data was compromised during these incidents.

The group claimed that their attacks on Outlook were in response to the United States’ involvement in Sudanese politics. However, some cybersecurity researchers suspect that this claim may be a false flag, suggesting a potential connection between the group and Russia.

The sources for this piece include an article in BleepingComputer.