Here's why a Russian-linked group launched a DDoS attack targeting Microsoft

Microsoft has confirmed that recent service outages that affected Outlook, Azure, and OneDrive web portals were caused by Layer 7 DDoS attacks. The American tech giant experienced this DoS (denial-of-service) attack on June 5.

To those unaware, a DoS attack alludes to a cyberattack that increases a server or network's traffic to make it unavailable to users. A report by Downdetector.com, which first spotted the interruption, indicated that Microsoft Word and Excel experienced a huge downtime problem.

Furthermore, the report revealed that nearly 15,000 users' services including email were affected. The impact of the cyberattack lasted for over two hours. The event occurred briefly again the next morning, according to a report by GizChina.

Microsoft divulges key details about the outages

Microsoft has admitted that the outage that affected some of the company's popular services earlier this month was caused by cyberattacks. Much to its relief, the Redmond, Washington-based technology corporation did not find any sign of user data being stolen.

In a new blog post, Microsoft confirmed that it is currently investigating and tracking the DDoS campaign, which was launched by threat actor Storm-1359. The attack comes just days after Microsoft 365 introduced pronouns on user profiles in a bid to promote greater gender inclusivity.

It is worth noting that the recently experienced DoS attack on Microsoft 365 targets Outlook email apps and its cloud platform.

Aside from confirming that its services were subject to cyberattacks, Microsoft declared that it is sparing no effort to investigate the issue. According to a Quartz report, a Russian-linked group called Anonymous Sudan was behind the cyber attack.

The impact

The report further suggests that 18,000 people were affected simultaneously during the peak of the June 5 attack. Anonymous Sudan says it managed to steal 30 million customers' data during the attack on Microsoft's services. However, there is no evidence that suggests customer data was accessed or compromised during these attacks.

Nevertheless, Anonymous Sudan demanded a $1 million (about £803,850) ransom from Microsoft. This is a third of what the group asked of SAS (Scandinavian Airlines), which is the flag carrier of Sweden, Norway, and Denmark, earlier this month.

The cyberattack modified the Microsoft 365 services such as Outlook and its cloud platform. The DoS attack made the services unavailable to users by flooding the network with traffic. Apparently, the Russian-linked group targeted Microsoft 365 because it has millions of users.

To recap, network provider Dyn, code management site GitHub, and messaging platform Telegram have previously been subject to similar attacks. The attackers used VPNs (virtual private networks) and cloud infrastructure to bombard company servers with junk internet traffic, which blocked user access. These VPNs and cloud infrastructure were rented from botnets of zombie computers from around the world.

Anonymous Sudan's TTP

Microsoft shed some light on the attackers' TTPs (tactics, techniques, and procedures) as well. According to the company, the attackers have "access to a collection of botnets and tools." The threat actor uses these botnets and tools to launch DDoS attacks from open proxy infrastructures and multiple cloud services.

Furthermore, Microsoft stated in its blog post that Storm-1359 "appears to be focused on disruption and publicity." The group has a reputation for using a slew of attack techniques including cache bypass, Slowloris, as well as HTTP(S) flood. These tactics are designed to subjugate the targeted systems.

Why is Anonymous Sudan targeting American companies?

While Beijing accused the US of launching several cyberattacks on China last year, Anonymous Sudan has been targeting American companies for quite some time now. Apparently, the group misunderstood a statement by US Secretary of State Antony J. Blinken, who was in Saudi Arabia on June 1.

The attack came after Blinken indicated the US is considering steps after Sudan violated their commitments to a ceasefire, according to a Reuters report. Blinken said the "US was looking at steps that we can take to make clear our views on any leaders who are moving Sudan in the wrong direction."

The hackers misinterpreted this statement and thought the United States is preparing to invade Sudan. In retaliation, they threatened to "target critical infrastructure" of American countries. Responding to the crisis in Sudan, the US announced visa restrictions, updated its business advisory for the East African country, and levied economic sanctions.