Microsoft has revealed that threat actor group Anonymous Sudan was behind a recent spate of outages that affected cloud services earlier this month.
In an advisory published at the weekend, the tech giant revealed that a series of outages were caused by highly effective distributed denial of service (DDoS) attacks.
Azure, Outlook, and OneDrive customers were left in the dark for hours due to the incidents, prompting a rapid investigation by Microsoft’s threat analysts.
“Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability,” Microsoft said in its advisory.
RELATED RESOURCE
“Microsoft promptly opened an investigation and subsequently began tracking ongoing DDoS activity by the threat actor that Microsoft tracks as Storm-1359.”
Microsoft noted that, to date, it has seen no evidence that customer data has been accessed or compromised.
The investigation by Microsoft revealed that the attacks specifically targeted level 7 web traffic using a number of methods. These included cache bypass, slowloris, and HTTP(S) flood attacks.
The latter of these attacks, Microsoft explained, aims to exhaust system resources by leveraging a high volume of SSL/TLS ‘handshakes’ and HTTP(S) requests processing.
“In this case, the attacker sends a high load (in the millions) and HTTP(S) requests that are well distributed across the globe from different source IPs. This causes the application backend to run out of compute resources (CPU and memory),” Microsoft’s advisory read.
In response, Microsoft said it hardened layer 7 protections, including “tuning Azure Web Application Firewall (WAF) to better protect customers from the impact of similar DDoS attacks”.
Who is behind Anonymous Sudan?
Anonymous Sudan is one of the newcomers to the global threat landscape, having officially launched operations in January 2023, assembling on the Telegram messaging platform according to security firm CyberCX.
CyberCX said the use of the Anonymous Sudan name was an “apparent reference to a 2019 operation by Anonymous”.
The group, which describes itself as a ‘hacktivist’ organization has already gained notoriety through a series of major attacks.
In March, the group threatened to disrupt Melbourne Fashion Week shows, citing opposition to a clothing line that displayed the term ‘God walks with me’.
While this preceded a broader spate of attacks against Australian organizations, at the time the move against Melbourne Fashion Week suggested that the group may have had religious motivations.
The group is also behind an apparent attack on the European Investment Bank (EIB). Anonymous’ DDoS attack against EIB follows recent threats made against the bank.
EIB confirmed the attack in a statement via Twitter on 19 June, adding that the incident was affecting the availability of the EIB and EIF websites.
We are currently facing a cyber attack which affects the availability of https://t.co/P3qatt3Uz5 and https://t.co/bGl0aO1Gwl. We are responding to the incident.June 19, 2023
At present, there is no clear-cut information on the scale or severity of the attack. However, security researcher Kevin Beaumont commented on Twitter that it has “absolutely no financial impact whatsoever”.
For anybody wondering, it has absolutely no financial impact whatsoeverWhat Killnet and Anonymous Sudan tend to do is look at things like share price changes and market moves and link them to their actions incorrectlyEg they linked MSFT share price moves to DDoS. No real linkJune 19, 2023
“What Killnet and Anonymous Sudan tend to do is look at things like share price changes and market moves and link them to their actions incorrectly,” he said. “Eg they linked MSFT share price moves to DDoS. No real link.”
RELATED RESOURCE
Walking the line: GitOps and Shift Left security
Scalable, developer-centric supply chain security solutions
However, analysis by CyberCX suggests that the group is unlikely to be a legitimate hacktivist group. Similarly, the firm said that the group is unlikely to be geographically linked to Sudan itself.
“Anonymous Sudan has no known overlap with the original membership of the 2019 Sudan operation, which was anti-Russia and pro-Ukraine, and has been denounced by a prominent Anonymous account,” the firm said.
CyberCX said that, based on current assessments of the group’s operations, Anonymous Sudan is likely affiliated with the Russian state.
The group is publicly aligned with pro-Russian threat actors, and is known to be a member of the pro-Russian Killnet hacker collective.
Observations of the group’s tradecraft also align with Russian-style tactics, CyberCX added, including the targeting of Western organizations in the government, healthcare, transport, and media sectors.
“CyberCX assesses that there is a real chance that Anonymous Sudan is affiliated with the Russian state,” the firm said. “Persistent low-level disruption of Western countries is consistent with established Russian information warfare strategies.”
“Anonymous Sudan also primarily posts in English and Russian, with its first Arabic post more than a month after its creation.”
Anonymous Sudan has been highly aggressive since emerging earlier this year, and CyberCX said it expects the group to continue ramping up operations in the months ahead.
“Anonymous Sudan is likely to continue to increase its tempo of operations over the next three months,” the firm said. “Anonymous Sudan now has more than 60,000 followers on its Telegram channel and reactions to its post have dramatically increased through May.”
“The group’s apparent access to significant resources and its dubious ideological associations means that it poses an atypical threat.”
-
Microsoft: get used to working with AI-powered "digital colleagues"News Tech giant's report suggests we should get ready to work with AI, revealing future trends for the workplace
-
HPE boosts Aruba, GreenLake securityNews Tech giant hopes to help enterprises battle against rise of "sophisticated" cloud threats
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reportedNews Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field day
News February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
