Microsoft has revealed that the recent weeks of outages experienced by Azure and Microsoft 365 were caused by a series of Distributed Denial-of-Service (DDoS) attacks carried out by a pro-Russian hacktivist group identified as Storm-1359.
The attacks, which began in early June, involved the utilization of botnets, multiple cloud services, open proxies, and DDoS tools. Microsoft acknowledged that the threat actor behind these attacks, Storm-1359, seems to be focused on disruption and publicity. Previously, the outages were treated as technical issues until Microsoft identified the DDoS attacks.
The responsible hacktivist group, Anonymous Sudan, claimed responsibility for the attacks on its Telegram channel. This group emerged in January and has previously targeted organizations in Sweden, the Netherlands, Australia, and Germany in apparent retaliation for anti-Muslim activity.
Security firms Truesec and Trustwave have suggested a Russian connection, with Trustwave noting that Anonymous Sudan could be a subgroup of the pro-Russian threat actor group Killnet. Microsoft uses the “Storm” tag to identify newly discovered or developing clusters of threat activity.
Microsoft stated that the DDoS attacks employed three types of application-layer techniques, including overwhelming system resources, overloading origin servers, and forcing servers to retain resources in memory.
In response to these attacks, Microsoft has enhanced Azure Web Application Firewall (WAF) to provide improved protection and advises Azure WAF users to implement measures such as blocking or redirecting traffic from specific geographic regions to safeguard web applications. Microsoft clarified that it has not detected any evidence of customer data compromise but did not disclose the number of affected customers, the extent of the impact, or whether the disruptions were global.
