A few weeks ago, Microsoft’s OneDrive and 365 services, such as Microsoft Teams and Sharepoint, experienced outages due to a series of distributed denial-of-service (DDoS) attacks. According to Cybersecurity Dive, a hacktivist group called Anonymous Sudan claimed they were behind the attack and made even more threats against the tech giant.
A Microsoft spokesperson has said they know these claims and are investigating further. Meanwhile, security experts are doing some investigations of their own.
What is Anonymous Sudan?
Also known as Storm-1359, Anonymous Sudan claims to be an African-based hacktivist group launching cyberattacks on behalf of oppressed Muslims around the world. They say their attack against Microsoft was retaliation for US policy around Sudan’s military conflict.
Although Anonymous Sudan has claimed to be a politically motivated hacktivist group, experts believe that their track record shows otherwise. These days, their main focus seems to be extortion. Before Microsoft, they also targeted Swedish airline SAS and companies in Israel. Mattias Wåhlén, a threat intelligence expert at Truesec, told Cybersecurity Dive that this behavior is “clearly just cybercrime, rather than online activism.”
Furthermore, experts also believe that the group has ties to Russia rather than Africa. Truesec published a report back in February highlighting this, focusing on the group’s attempts to complicate Sweden’s NATO application. Their attacks also tend to coincide with increased hostilities in countries aligned against Russia.
Beyond extortion, another key goal for the group is presenting Russia as a true haven for Muslims over the West. Mattias Wåhlén told Bloomberg:
“Anonymous Sudan is a Russian information operation that aims to use its Islamic credentials to be an advocate for closer cooperation between Russia and the Islamic world – always claiming that Russia is the Muslims’ friend. This makes them a useful proxy.”
Bloomberg News contacted Anonymous Sudan about these claims, which they deny. A representative said they were not acting on Russia’s behalf, but their goals just so happened to align and that “all countries that are hostile to Islam are hostile to Russia.”
More about the Microsoft cyberattack
Several weeks later, Microsoft posted a response to the cyberattack, focusing on the technical aspect rather than the political. Like other Anonymous Sudan attacks, these attacks targeted layer 7 (the application layer) of their server infrastructure, which receives input from users who are served content in response. This can be a computationally draining process which makes it an appealing target. Microsoft says the attacks likely relied on access to multiple virtual private servers, as well as rented cloud infrastructure, open proxies, and DDoS tools.
Following the attacks, Microsoft hardened its layer 7 protections which included tuning its Azure Web Application Firewall (WAF) to better handle similar DDoS attacks in the future. Microsoft recommends that its customers use similar layer 7 protection services to protect their web applications.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.