Boston — In early June, sporadic but serious service disruptions affected Microsoft’s flagship Office suite — the Outlook email and OneDrive file-sharing apps — and cloud computing platforms. A shadowy hacktivist group claimed responsibility, saying it flooded sites with junk traffic in distributed denial-of-service attacks.
Initially reticent to name the cause, Microsoft has now revealed that the DDoS attacks were in fact blamed by a suspected nawab.
But the software giant offered few details — and would not comment on the magnitude of the attacks. It would not say how many customers were affected or describe the attackers, whom it named Storm-1359. A group calling itself Anonymous Sudan claimed responsibility on its Telegram social media channel at the time. Some security researchers believe the group is Russian.
Microsoft’s explanation came in a blog post Friday evening following a request from The Associated Press two days ago. Thin on details, the Post said the attacks “temporarily affected availability” of some services. It said the attackers focused on “disruption and propaganda” and used rented cloud infrastructure and virtual private networks to bombard Microsoft servers with so-called botnets of zombie computers around the world.
Microsoft said there is no evidence that any customer data was accessed or compromised.
While DDoS attacks are primarily a nuisance – making websites unreachable without breaking into them – security experts say they could disrupt the work of millions of people if they successfully disrupt the services of a software services giant like Microsoft. on which so much global commerce depends.
It is not clear what happened here.
“If Microsoft doesn’t provide that information then we really have no way to measure the impact,” said Jake Williams, a leading cybersecurity researcher and a former National Security Agency offensive hacker. Williams said he was not aware of the outlook prior to the first attack on this scale.
“We know that some resources were inaccessible to some, but not to others. This often happens with DDoS of globally distributed systems,” Williams said. He added that Microsoft’s apparent reluctance to provide an objective measure of customer impact “probably speaks volumes.”
As for the identity of Storm-1359, Williams said he doesn’t think Microsoft knows yet. This would not be unusual. Cyber security investigations take time — and can still be a challenge if the adversary is skilled.
Pro-Russian hacking groups including Killnet — which cybersecurity firm Mandiant calls Kremlin-affiliated — have been bombarding the government and other websites of Ukraine’s allies with DDoS attacks. In October, some US airport sites were targeted.
Edward Amoroso, NYU professor and CEO of TAG Cyber, said the Microsoft incident highlights how DDoS attacks are “a significant risk we’ve all agreed to avoid talking about.” Calling it an unsolved problem is controversial. Not there.
Microsoft’s difficulties in handling this particular attack suggest “a single point of failure,” he said. The best defense against these attacks is to distribute the service on a large scale, for example over a Content Delivery Network.
In fact, the technology used by the attackers is not that old, said Kevin Beaumont, a UK security researcher. “One is dated 2009,” he said.
On Monday June 5, severe impact from Microsoft 365 Office suite interruptions was reported, peaking at 18,000 outages and the problem was reported on the tracker DownDetector shortly after 11:00 AM.
On Twitter that day, Microsoft said that Outlook, Microsoft Teams, SharePoint Online, and OneDrive for Business were affected.
The attacks continued throughout the week, with Microsoft confirming on 9 June that its Azure cloud computing platform had been affected.
On June 8, computer security news site BleepingComputer.com reported that cloud-based OneDrive file-hosting was shut down globally for a time.
Microsoft said at the time that desktop OneDrive clients were not affected, BleepingComputer reported.
