Microsoft on Friday attributed a string of service outages aimed at Azure, Outlook, and OneDrive earlier this month to an uncategorized cluster it tracks under the name Storm-1359.
"These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools," the tech giant said in a post on Friday.
Storm-#### (previously DEV-####) is a temporary designation the Windows maker assigns to unknown, emerging, or developing groups whose identity or affiliation hasn't been definitively established yet.
While there is no evidence that any customer data was accessed or compromised, the company noted the attacks "temporarily impacted availability" of some services. Redmond said it further observed the threat actor launching layer 7 DDoS attacks from multiple cloud services and open proxy infrastructures.
This includes HTTP(S) flood attacks, which bombard the target services with a high volume of HTTP(S) requests; cache bypass, in which the attacker attempts to bypass the CDN layer and overload the origin servers; and a technique known as Slowloris.
"This attack is where the client opens a connection to a web server, requests a resource (e.g., an image), and then fails to acknowledge the download (or accepts it slowly)," the Microsoft Security Response Center (MSRC) said. "This forces the web server to keep the connection open and the requested resource in memory."
Microsoft 365 services such as Outlook, Teams, SharePoint Online, and OneDrive for Business went down at the start of the month, with the company subsequently stating it had detected an "anomaly with increased request rates."
"Traffic analysis showed an anomalous spike in HTTP requests being issued against Azure portal origins, bypassing existing automatic preventive measures, and triggering the service unavailable response," it said.
Microsoft further characterized the "murky upstart" as focused on disruption and publicity. A hacktivist group known as Anonymous Sudan has claimed responsibility for the attacks. However, it's worth noting that the company has not explicitly linked Storm-1359 to Anonymous Sudan.
Who is Anonymous Sudan?
Anonymous Sudan has been making waves in the threat landscape with a series of DDoS attacks against Swedish, Dutch, Australian, and German organizations since the start of the year.
An analysis from Trustwave SpiderLabs in late March 2023 indicated that the adversary is likely an offshoot of the Pro-Russian threat actor group KillNet that first gained notoriety during the Russian-Ukraine conflict last year.
"It has publicly aligned itself with the Russian group KillNet, but for reasons only its operators know, prefers to use the story of defending Islam as the reason behind its attacks," Trustwave said.
KillNet has also attracted attention for its DDoS attacks on healthcare entities hosted in Microsoft Azure, which have surged from 10-20 attacks in November 2022 to 40-60 attacks daily in February 2023.
The Kremlin-affiliated collective, which first emerged in October 2021, has further established a "private military hacking company" named Black Skills in an attempt to lend its cyber mercenary activities a corporate sheen.
Anonymous Sudan's Russian connections have also become evident in the wake of its collaboration with KillNet and REvil to form a "DARKNET parliament" and orchestrate cyber attacks on European and U.S. financial institutions. "Task number one is to paralyze the work of SWIFT," a message posted on June 14, 2023, read.
"KillNet, despite its nationalistic agenda, has primarily been driven by financial motives, utilizing the eager support of the Russian pro-Kremlin media ecosystem to promote its DDoS-for-hire services," Flashpoint said in a profile of the adversary last week.
"KillNet has also partnered with several botnet providers as well as the Deanon Club — a partner threat group with which KillNet created Infinity Forum — to target narcotics-focused darknet markets."
Storm-1359 Linked to Anonymous Sudan
Flashpoint, in a new update shared on June 20, 2023, tied Storm-1359 to Anonymous Sudan, although it said "numerous questions remain" about the purported hacktivist group.
"Since its inception, there has been speculation as to the origins, ideologies, and motivations of Anonymous Sudan; they have posted in English, Russian, and more recently Arabic, across their online channels," the company said.
"However, in spite of its name, it appears that the group has no actual connections to the country of Sudan (nor any connection to the previous Anonymous group operating in Sudan)."
