Microsoft has confirmed that outages to its Azure and Outlook services were caused by DDoS attacks, which the company puts down to the threat actor that it tracks as Storm-1359.
This follows the tech giant’s new nomenclature for threats, whereby Storm denotes a group that is in development.
Otherwise known as Anonymous Sudan, it is said to be a politically motivated Sudanese gang of self-proclaimed “hacktivists,” who have already had run-ins with France, Denmark, and Sweden so far this year.
Sudanese threat actor behind Microsoft DDoS attacks
Microsoft says that Storm-1359 launched several types of layer 7 DDoS attacks, including an HTTP(S) flood attack which sees a high load of SSL/TLS handshakes and HTTP(S) requests cause the backend’s CPU and memory to become depleted. In this instance, it is believed that millions of requests were made simultaneously.
The group also used cache bypass tactics which force the frontend layer to direct requests to the origin rather than retrieving cached contents, and slowloris, which forces a web server to keep the connection open by failing to acknowledge a download.
“These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools,” said Microsoft in the announcement.
Ultimately, while services were disrupted over the course of a series of days in early June, Microsoft says that it has “seen no evidence that customer data has been accessed or compromised.”
The company has also provided a handful of steps that customers can take to reduce their impact to layer 7 DDoS attacks in the future, which are outlined on its website.