Microsoft reveals the hacker group behind recent cloud outages
Microsoft has revealed that Anonymous Sudan was the culprit behind their recent cloud service outages.
The tech giant disclosed that these outages were from highly effective Distributed Denial of Service (DDoS) attacks. Azure, Outlook, and OneDrive customers experienced significant disruptions, prompting an immediate investigation by Microsoft's threat analysts.
In early June 2023, Microsoft detected surges in traffic against specific services. The company promptly investigated and monitored the ongoing DDoS activity by the threat actor known as Storm-1359.
Microsoft confirmed that there is no evidence of customer data being accessed or compromised during the incidents.
The investigation revealed that the attacks targeted level 7 web traffic and employed various methods, including cache bypass, slowloris, and HTTP(S) flood attacks. The HTTP(S) flood attacks aimed to exhaust system resources by generating high SSL/TLS handshakes and HTTP(S) requests, causing the application backend to diminish compute resources.
In response, Microsoft has reinforced layer 7 protections, including enhancing the Azure Web Application Firewall (WAF) to better defend against similar DDoS attacks.
Anonymous Sudan, the hacker group responsible for these outages, emerged as a newcomer in the global threat landscape in January 2023. According to CyberCX security firm, the group assembles on the Telegram messaging platform. The group's name is likely a reference to a 2019 operation by the hacktivist collective Anonymous.
Describing itself as a hacktivist organization, Anonymous Sudan has gained notoriety through a series of major attacks. In a previous incident, the group threatened to disrupt Melbourne Fashion Week shows due to their opposition to a clothing line featuring the phrase "God walks with me." Although this preceded a broader wave of attacks against Australian organizations, it hinted at potential religious motivations.
Anonymous Sudan is also suspected of launching an attack on the European Investment Bank (EIB) following recent threats made against the bank.
CyberCX has analyzed the group and suggests that Anonymous Sudan is unlikely to be a legitimate hacktivist group. Geographically, the group is not believed to be tied to Sudan or associated with the 2019 Sudan operation, which was anti-Russia and pro-Ukraine. Instead, CyberCX assesses that Anonymous Sudan is likely affiliated with the Russian state.
The group aligns itself with pro-Russian threat actors and is a member of the pro-Russian hacker collective Killnet. Their tactics mirror Russian-style strategies, targeting Western organizations in government, healthcare, transport, and media sectors. CyberCX believes the group's actions align with established Russian information warfare strategies.
With its increasing aggression since its emergence earlier this year, Anonymous Sudan is expected to escalate its operations in the coming months. Having amassed over 60,000 followers on its Telegram channel and witnessing a growing reaction to its posts, the group's access to significant resources and questionable ideological associations poses a distinct threat.