Microsoft has revealed that threat actor group Anonymous Sudan was behind a recent spate of outages that affected cloud services earlier this month.
In an advisory published at the weekend, the tech giant revealed that a series of outages were caused by highly effective distributed denial of service (DDoS) attacks.
Azure, Outlook, and OneDrive customers were left in the dark for hours due to the incidents, prompting a rapid investigation by Microsoft’s threat analysts.
“Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability,” Microsoft said in its advisory.
The right workload in the right cloud
A guide to multi-cloud management
“Microsoft promptly opened an investigation and subsequently began tracking ongoing DDoS activity by the threat actor that Microsoft tracks as Storm-1359.”
Microsoft noted that, to date, it has seen no evidence that customer data has been accessed or compromised.
The investigation by Microsoft revealed that the attacks specifically targeted level 7 web traffic using a number of methods. These included cache bypass, slowloris, and HTTP(S) flood attacks.
The latter of these attacks, Microsoft explained, aims to exhaust system resources by leveraging a high volume of SSL/TLS ‘handshakes’ and HTTP(S) requests processing.
“In this case, the attacker sends a high load (in the millions) and HTTP(S) requests that are well distributed across the globe from different source IPs. This causes the application backend to run out of compute resources (CPU and memory),” Microsoft’s advisory read.
In response, Microsoft said it hardened layer 7 protections, including “tuning Azure Web Application Firewall (WAF) to better protect customers from the impact of similar DDoS attacks”.
Who is behind Anonymous Sudan?
Anonymous Sudan is one of the newcomers to the global threat landscape, having officially launched operations in January 2023, assembling on the Telegram messaging platform according to security firm CyberCX.
CyberCX said the use of the Anonymous Sudan name was an “apparent reference to a 2019 operation by Anonymous”.
The group, which describes itself as a ‘hacktivist’ organization has already gained notoriety through a series of major attacks.
In March, the group threatened to disrupt Melbourne Fashion Week shows, citing opposition to a clothing line that displayed the term ‘God walks with me’.
While this preceded a broader spate of attacks against Australian organizations, at the time the move against Melbourne Fashion Week suggested that the group may have had religious motivations.
The group is also behind an apparent attack on the European Investment Bank (EIB). Anonymous’ DDoS attack against EIB follows recent threats made against the bank.
EIB confirmed the attack in a statement via Twitter on 19 June, adding that the incident was affecting the availability of the EIB and EIF websites.
We are currently facing a cyber attack which affects the availability of https://t.co/P3qatt3Uz5 and https://t.co/bGl0aO1Gwl. We are responding to the incident.June 19, 2023
At present, there is no clear-cut information on the scale or severity of the attack. However, security researcher Kevin Beaumont commented on Twitter that it has “absolutely no financial impact whatsoever”.
For anybody wondering, it has absolutely no financial impact whatsoeverWhat Killnet and Anonymous Sudan tend to do is look at things like share price changes and market moves and link them to their actions incorrectlyEg they linked MSFT share price moves to DDoS. No real linkJune 19, 2023
“What Killnet and Anonymous Sudan tend to do is look at things like share price changes and market moves and link them to their actions incorrectly,” he said. “Eg they linked MSFT share price moves to DDoS. No real link.”
Walking the line: GitOps and Shift Left security
Scalable, developer-centric supply chain security solutions
However, analysis by CyberCX suggests that the group is unlikely to be a legitimate hacktivist group. Similarly, the firm said that the group is unlikely to be geographically linked to Sudan itself.
“Anonymous Sudan has no known overlap with the original membership of the 2019 Sudan operation, which was anti-Russia and pro-Ukraine, and has been denounced by a prominent Anonymous account,” the firm said.
CyberCX said that, based on current assessments of the group’s operations, Anonymous Sudan is likely affiliated with the Russian state.
The group is publicly aligned with pro-Russian threat actors, and is known to be a member of the pro-Russian Killnet hacker collective.
Observations of the group’s tradecraft also align with Russian-style tactics, CyberCX added, including the targeting of Western organizations in the government, healthcare, transport, and media sectors.
“CyberCX assesses that there is a real chance that Anonymous Sudan is affiliated with the Russian state,” the firm said. “Persistent low-level disruption of Western countries is consistent with established Russian information warfare strategies.”
“Anonymous Sudan also primarily posts in English and Russian, with its first Arabic post more than a month after its creation.”
Anonymous Sudan has been highly aggressive since emerging earlier this year, and CyberCX said it expects the group to continue ramping up operations in the months ahead.
“Anonymous Sudan is likely to continue to increase its tempo of operations over the next three months,” the firm said. “Anonymous Sudan now has more than 60,000 followers on its Telegram channel and reactions to its post have dramatically increased through May.”
“The group’s apparent access to significant resources and its dubious ideological associations means that it poses an atypical threat.”
