BOSTON (AP) — Microsoft faced significant service disruptions in its flagship office suite, including Outlook email and OneDrive file-sharing apps, as well as its cloud computing platform in early June. These disruptions were caused by a series of distributed denial-of-service (DDoS) attacks orchestrated by an anonymous hacktivist group.
Initially, Microsoft was reluctant to disclose the cause, but the company has now revealed that the DDoS attacks were indeed responsible. However, Microsoft has provided limited information, refraining from commenting on the extent of the impact on customers or whether it was a global issue. A spokesperson confirmed that the group behind the attacks, known as Anonymous Sudan, claimed responsibility through their Telegram social media channel. While some security researchers suspect the group to be of Russian origin, Microsoft did not explicitly state their affiliation.
Responding to a request made by The Associated Press, Microsoft posted an explanation on its blog on Friday evening. However, the blog post was short on specifics, acknowledging that the attacks had temporarily affected the availability of certain services. The post further mentioned that the attackers were primarily motivated by causing disruption and gaining publicity. It is believed that they utilized rented cloud infrastructure and virtual private networks, leveraging botnets consisting of compromised computers worldwide to bombard Microsoft servers.
Microsoft reassured that there is no evidence of customer data being accessed or compromised during the DDoS attacks. Although DDoS attacks primarily aim to render websites inaccessible without breaching their security, security experts emphasize that such attacks can still cause significant disruptions, especially when targeting a software service giant like Microsoft, which plays a crucial role in global commerce.
As for this particular incident, it remains uncertain whether the DDoS attacks were successful in causing substantial disruptions to Microsoft’s services.
Jake Williams, a prominent cybersecurity researcher and former National Security Agency offensive hacker, commented on the lack of information provided by Microsoft regarding the impact of the DDoS attacks. Without specific details from Microsoft, it becomes difficult to gauge the true extent of the disruptions caused. Williams mentioned that while some resources were inaccessible to certain users, this is a common occurrence in DDoS attacks on globally distributed systems. He suggested that Microsoft’s reluctance to provide an objective measure of customer impact likely indicates the magnitude of the situation.
Microsoft referred to the attackers as Storm-1359, a designation used for groups whose affiliation is yet to be determined. Identifying the culprits in cybersecurity investigations can be time-consuming and challenging, especially when dealing with skilled adversaries.
There have been instances of pro-Russian hacking groups, such as Killnet, which cybersecurity firm Mandiant associates with the Kremlin, launching DDoS attacks on government and allied websites of Ukraine. Anonymous Sudan’s claimed location in Sudan, an African country, is doubtful according to cybersecurity analyst Alexander Leslie from Recorded Future. He stated that the group collaborates closely with Killnet and other pro-Kremlin groups to spread pro-Russian propaganda and disinformation.
Edward Amoroso, NYU professor and CEO of TAG Cyber, emphasized that the Microsoft incident highlights the ongoing and significant risk posed by DDoS attacks, which is often downplayed or avoided in discussions. Amoroso referred to DDoS attacks as an “unsolved problem” within the cybersecurity landscape.
According to experts, Microsoft’s difficulties in defending against this particular DDoS attack indicate a potential “single point of failure” within their infrastructure. To mitigate such attacks, the best approach is to distribute services widely across a content distribution network (CDN) or similar systems.
The techniques employed by the attackers are not new, with some dating as far back as 2009, as noted by security researcher Kevin Beaumont from the U.K.
The impact of the Microsoft 365 office suite interruptions was significant, with reports of 18,000 outages and problems on the Downdetector tracker peaking on Monday, June 5, around 11 a.m. Eastern time.
Microsoft acknowledged the impact on Twitter that day, stating that Outlook, Microsoft Teams, SharePoint Online, and OneDrive for Business were affected by the disruptions.
The attacks persisted throughout the week, and on June 9, Microsoft confirmed that its Azure cloud computing platform had also been impacted.
On June 8, BleepingComputer.com, a computer security news site, reported a global outage of cloud-based OneDrive file-hosting for a period of time.
Microsoft clarified that desktop OneDrive clients were not affected during this incident, as reported by BleepingComputer.
