Microsoft faced significant service disruptions in early June, impacting its flagship office suite, including Outlook and OneDrive, as well as its cloud computing platform. These disruptions were caused by distributed denial-of-service (DDoS) attacks orchestrated by a hacktivist group known as Anonymous Sudan. The group claimed responsibility for flooding the sites with excessive traffic. Microsoft initially withheld details about the cause but later confirmed the DDoS attacks and attributed them to Anonymous Sudan. The company did not provide specific information regarding the number of affected customers or the global extent of the impact. However, Microsoft assured that no customer data was compromised or accessed during the attacks.
The attacks were primarily focused on causing disruption and gaining publicity. The attackers likely employed rented cloud infrastructure and virtual private networks to launch the DDoS attacks from botnets comprised of compromised computers worldwide. Although DDoS attacks typically render websites unreachable without penetrating them, they can still disrupt the operations of large software service providers like Microsoft, which play a crucial role in global commerce.
Microsoft’s blog post, released in response to a request from The Associated Press, revealed limited information about the attacks. The post acknowledged that some services experienced temporary availability issues. However, without specific data on customer impact provided by Microsoft, it is difficult to assess the true magnitude of the disruptions. Security researchers, including former National Security Agency hacker Jake Williams, noted that while some resources were inaccessible to some users, this is a common occurrence with DDoS attacks targeting globally distributed systems. The lack of objective measurements of customer impact from Microsoft indicates the severity of the situation.
Microsoft referred to the attackers as Storm-1359, using a designation for groups whose affiliation is not yet determined. Identifying the perpetrators can be challenging and time-consuming in the realm of cybersecurity. Some analysts speculate that Anonymous Sudan is not actually based in Sudan, as they claim, but instead works closely with pro-Kremlin groups like Killnet. Killnet, which is affiliated with the Kremlin according to cybersecurity firm Mandiant, has been conducting DDoS attacks against government and allied websites in Ukraine. The incident involving Microsoft further highlights the ongoing risks posed by DDoS attacks, which remain a significant, unsolved problem.
The attack on Microsoft demonstrates the vulnerability of relying on centralized systems, as it suggests a single point of failure. To defend against such attacks, distributing services across multiple platforms, such as content distribution networks, is considered the best approach. Interestingly, the techniques used by the attackers were not new, some dating back to 2009, according to security researcher Kevin Beaumont.
The disruptions caused by the attacks were significant, with thousands of outage and problem reports on the Down-detector tracker. Microsoft confirmed that Outlook, Microsoft Teams, SharePoint Online, and OneDrive for Business were affected. The attacks persisted throughout the week, with Microsoft confirming on June 9 that its Azure cloud computing platform was also impacted. Additionally, cloud-based OneDrive file-hosting experienced a global outage, although desktop clients remained unaffected.