Global Courant
Thomas Trutschel | Photo library | Getty Images
Sporadic but severe service interruptions were plagued in early June from Microsoft flagship office suite – including the Outlook email and OneDrive file sharing apps – and cloud computing platform. A shadowy hacktivist group claimed responsibility, saying it flooded the sites with junk traffic in distributed denial-of-service attacks.
Initially reluctant to name the cause, Microsoft has now revealed that DDoS attacks by a shady newcomer were indeed to blame.
But the software giant has provided few details – and would not comment on the scope of the attacks. It wouldn’t say how many customers were affected or describe the attackers, which it has dubbed Storm-1359. A group calling itself Anonymous Sudan claimed responsibility through its social media channel Telegram at the time. Some security researchers think the group is Russian.
Microsoft’s explanation in a blog post Friday evening followed a request from The Associated Press two days earlier. Smart on details, the post said the attacks “temporarily affected the availability” of some services. It said the attackers targeted “disruption and publicity” and likely used leased cloud infrastructure and virtual private networks to bombard Microsoft servers from so-called zombie computer botnets around the world.
Microsoft said there was no evidence of customer data being accessed or compromised.
While DDoS attacks are mostly a nuisance—making websites inaccessible without penetrating them—security experts say they could disrupt the work of millions if they succeed in interrupting the services of a software services giant like Microsoft, on which so much global commerce depends.
It’s not clear if that’s what happened here.
“We really have no way of measuring the impact if Microsoft doesn’t provide that information,” said Jake Williams, a leading cybersecurity researcher and former National Security Agency attacking hacker. Williams said he was unaware Outlook had been attacked on this scale before.
“We know that some resources were inaccessible to some, but not to others. This often happens with DDoS of globally distributed systems,” added Williams. He said Microsoft’s apparent reluctance to provide an objective measurement of customer impact “probably indicates the magnitude.”
As for Storm-1359’s identity, Williams said he doesn’t think Microsoft knows yet. That wouldn’t be unusual. Cybersecurity detective work usually takes time – and even then it can be challenging if the adversary is skilled.
Pro-Russian hacking groups, including Killnet — which cybersecurity firm Mandiant says is affiliated with the Kremlin — are bombarding the government and other websites of Ukraine’s allies with DDoS attacks. In October, some US airport sites were hit.
Edward Amoroso, NYU professor and CEO of TAG Cyber, said the Microsoft incident highlights how DDoS attacks “remain a significant risk that we all agree not to talk about. It’s not controversial to call this an unsolved problem.” to name.”
He said Microsoft’s difficulties in fending off this particular attack point to “a single point of failure.” The best defense against these attacks is to distribute a service en masse, for example through a content distribution network.
Indeed, the techniques used by the attackers are not old, says British security researcher Kevin Beaumont. “One of them dates back to 2009,” he said.
Severe impacts from the Microsoft 365 office suite outages were reported on Monday, June 5, with a peak of 18,000 outage and problem reports on the tracker Downdetector shortly after 11 a.m. Eastern time.
On Twitter that day, Microsoft said that Outlook, Microsoft Teams, SharePoint Online and OneDrive for Business were affected.
The attacks continued throughout the week, with Microsoft confirming on June 9 that its Azure cloud computing platform had been affected.
On June 8, computer security news site BleepingComputer.com reported that cloud-based OneDrive file hosting was unavailable globally for a while.
At the time, Microsoft said desktop OneDrive clients were not affected, BleepingComputer reported.
