Microsoft says it was a victim of a cyberattack earlier this month which affected its Office 365 productivity suite, including apps such as Teams and Outlook. The tech giant says it believes no customer data was compromised in what was a distributed denial of service (DDoS) attack carried out by a cybercriminal gang known as Storm-1359, or Anonymous Sudan.
Office 365 services went down for several hours on 4 June, and suffered a second outage the following day. MSFT had previously declined to release details of what caused the problem, with a company spokesperson simply saying on 5 June: “We have resolved an issue preventing users from accessing some of our services.”
However, in a blog posted late on Friday, Microsoft confirmed a DDoS cyberattack had taken place.
Microsoft confirms DDoS cyberattack on Office 365
The Microsoft blog says the company “identified surges in traffic against some services that temporarily impacted availability”. It then “opened an investigation and subsequently began tracking ongoing DDoS activity by the threat actor that Microsoft tracks as Storm-1359”.
It says the attacks targeted what the company refers to as Layer 7 of the security protocols relating to its cloud services such as Office 365. “Microsoft hardened layer 7 protections including tuning Azure Web Application Firewall to better protect customers from the impact of similar DDoS attacks,” the blog says.
“While these tools and techniques are highly effective at mitigating the majority of disruptions, Microsoft consistently reviews the performance of its hardening capabilities and incorporates learnings into refining and improving their effectiveness.”
Security researchers on Twitter pointed out that Microsoft has been quite reticent to publicise details of the breach, not even naming the services affected.
Whatever process happens for M365 and Azure incidents at MS needs.. uh.. review. I suspect that’s a Capita style mistake where now customers and media will be digging all over it, as the transparency was not (and is not) good enough.— Kevin Beaumont (@GossiTheDog) June 17, 2023
The blog contains actions customers should take to ensure their networks are fully protected from the impact of DDoS attacks, even though this attack impacted Microsoft’s own infrastructure.
Anonymous Sudan and DDoS attacks
DDoS attacks are a low-skill and relatively benign form of cyberattack, which see servers flooded with requests, usually via a botnet, in an attempt to make them crash. Malware cannot be injected into a network via a DDoS attack alone, though they have been known to be a precursor for more advanced cyberattacks.
These types of attacks have seen a surge in popularity over the last 18 months, particularly since the war in Ukraine began and hacktivist activity has ramped up.
Anonymous Sudan, or Storm-1359, is thought to be an offshoot of the original Anonymous hacktivist collective which shot to prominence a decade ago.
Last week, Tech Monitor reported on a threat by the group to take down the European financial system. Joining forces with two other hacking gangs, Russia-based Killnet and REvil, Anonymous Sudan said it planned to hit back at Europe for its role in helping Ukraine in the war with Russia. It said it would target the financial sector and the SWIFT messaging system which international banks use to communicate, as well as going after the US Federal Reserve.
The video was posted on Thursday, with attacks supposed to commence within 48 hours. As yet, no breaches have been reported.