Written by staff writer.
Microsoft has confirmed that the hacktivist group Anonymous Sudan were behind a distributed denial of service (DDoS) attack on its Outlook, OneDrive, and cloud platforms earlier this month.
Cybersecurity analysts initially believed Anonymous Sudan to be a cohort of religiously motivated hackers from Sudan who have been conducting DDoS attacks since January in response to a far-right activist burning a copy of the Quran. They first focused on targeting entities in Nordic countries, home to the erstwhile book burner.
US-based Microsoft, who refer to the group as Storm-1359, began seeing surges in traffic against some services that temporarily impacted availability in early June. Microsoft says they observed the hackers launching HTTP(s) flood attacks that sought to exhaust the system resources with a high load of SSL/TLS handshakes and HTTP(s) requests processing; cache bypass attacks that bypass the CDN layer and can result in overloading the origin servers; and slowloris attacks which occur when the client opens a connection to a web server, requests a resource, and then fails to acknowledge the download or accepts it slowly.
“Microsoft assessed that Storm-1359 has access to a collection of botnets and tools that could enable the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures. Storm-1359 appears to be focused on disruption and publicity,” reads a blog post by the global software giant. Microsoft has also issued a series of mitigation recommendations.
On the Telegram messaging service, Storm-1359/Anonymous Sudan told Microsoft that it can shut down its services whenever it wants
While Anonymous Sudan is in the DDoS rather than ransomware business, the group made global headlines earlier this year when it took the SAS Scandinavian Airlines website offline. They have also targeted logistics giant UPS and ride-sharing platform Lyft. The pro-Russian hacker group and DDoS specialist Killnet counts Anonymous Sudan as a member of its hacker collective that target countries and companies that oppose Russia. There is some strong circumstantial evidence that Anonymous Sudan is a Russian false flag operation. Cybersecurity firm Mandiant has also stated that they believe the group is Kremlin-affiliated.
Sergey Shykevich, Group Manager at Check Point Research, says Anonymous Sudan DDoS attacks occur weekly. “They aim high and can take down websites of governments, banks, large enterprises, airports, and telcos,” he said. “This specific group is notorious for using very strong DDoS tools, as they are highly connected to Russian hacking groups who are currently leveraging such tools in their own attacks. What these hackers do is analyse the bandwidth, capacity, of the websites they target by sending a certain amount of requests at the same time, and they ramp up until the point they see it collapses.”
Shykevich says DDoS attacks can be prevented if entities are prepared to put the time and resources into the necessary risk management process. But he says many entities prefer to be offline anywhere for what is usually a relatively short time rather than make the investments required to prevent the attack in the first place.
Microsoft says its recommended tools and mitigations are highly effective at minimizing DDoS attacks. It says it is constantly hardening its processes and that each cyber-attack is a learning experience.
