Microsoft has confirmed that recent outages to its popular services, including Outlook, Teams, OneDrive, and cloud computing platform Azure, were caused by a DDoS attack by a threat actor that the company tracks as Storm-1359.
Also known as Anonymous Sudan, Storm-1359 was first detected in January, targeting organizations and government agencies with DDoS attacks and efforts to exfiltrate data. The threat actor was initially assumed to be a “hacktivist” group protesting a controversial outfit at the Melbourne Fashion Week but has since been linked to the Russian state, according to several media reports.
“Microsoft assessed that Storm-1359 has access to a collection of botnets and tools that could enable the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures,” the company said in a blog post. “Storm-1359 appears to be focused on disruption and publicity.”
The recent DDoS activities by Storm-1359, Microsoft said, targeted the application layer (layer 7) of the network stack, rather than the most frequently targeted layers 3 or 4.
Different types of layer 7 DDoS attacks
Storm-1359 was observed launching several types of layer 7 DDoS attack traffic, including HTTP(S) flood attack, Cache bypass, and Slowloris.
An HTTP(S) flood attack floods the target system with a large number of distributed HTTP(S) requests and SSL/TLS handshakes. The goal is to exhaust the application backend’s CPU and memory resources, causing it to become overwhelmed and unresponsive.
Cache bypass attacks, on the other hand, are aimed to bypass the recent teams office outages caused cyberattacks microsoft
