Thomas Trutschel | Photo Library | fake images
In early June, sporadic but serious service interruptions plagued Microsoft the flagship office suite, including Outlook email and OneDrive file-sharing apps, and the cloud computing platform. An obscure group of hacktivists claimed responsibility, saying it flooded sites with spam traffic in distributed denial-of-service attacks.
Initially reticent to name the cause, Microsoft has now revealed that DDoS attacks by a shady upstart were to blame.
But the software giant has offered few details and declined to comment on the scale of the attacks. He did not say how many customers were affected or describe the attackers, whom he has named Storm-1359. A group calling itself Anonymous Sudan claimed responsibility on its Telegram social media channel at the time. Some security researchers believe the group is Russian.
Microsoft’s explanation in a blog post late Friday followed a request from The Associated Press two days earlier. Sparse on details, the post says the attacks “temporarily affected the availability” of some services. He said the attackers focused on “disruption and advertising” and likely used rented cloud infrastructure and virtual private networks to bombard Microsoft servers from so-called zombie computer botnets around the world.
Microsoft said there was no evidence that customer data was accessed or compromised.
While DDoS attacks are primarily a nuisance, rendering websites inaccessible without penetrating them, security experts say they can disrupt the work of millions if they successfully disrupt the services of a software services giant like Microsoft of the which depends so much on global trade.
It is not clear if that is what happened here.
“We really have no way of measuring the impact if Microsoft doesn’t provide that information,” said Jake Williams, a leading cybersecurity researcher and former offensive hacker for the National Security Agency. Williams said he was not aware that Outlook had previously been attacked on this scale.
“We know that some resources were inaccessible to some, but not to others. This often happens with DDoS of globally distributed systems,” Williams added. He said Microsoft’s apparent unwillingness to provide an objective measure of customer impact “probably speaks to the magnitude.”
As for the identity of Storm-1359, Williams said he doesn’t think Microsoft knows yet. That would not be unusual. Cybersecurity research tends to take time, and even then it can be challenging if the adversary is skilled.
Pro-Russian hacking groups, including Killnet, which cybersecurity firm Mandiant says is affiliated with the Kremlin, have been bombarding the government and other websites of Ukraine’s allies with DDoS attacks. In October, some US airport sites were attacked.
Edward Amoroso, a New York University professor and CEO of TAG Cyber, said the Microsoft incident highlights how DDoS attacks remain “a significant risk that we all agree to avoid talking about. It’s not controversial to call this an unresolved problem.”
He said Microsoft’s difficulties defending against this particular attack suggests “a single point of failure.” The best defense against these attacks is to distribute a service in a massive way, in a content distribution network for example.
In fact, the techniques the attackers used are not ancient, said UK security researcher Kevin Beaumont. “One dates from 2009,” he said.
Serious impacts from Microsoft 365 office suite outages were reported on Monday, June 5, with a peak of 18,000 reports of outages and issues in the Downdetector tracker shortly after 11 am ET.
On Twitter that day, Microsoft said that Outlook, Microsoft Teams, SharePoint Online, and OneDrive for Business were affected.
The attacks continued through the week, with Microsoft confirming on June 9 that its Azure cloud computing platform had been affected.
On June 8, the computer security news site BleepingComputer.com reported that the cloud-based OneDrive file hosting was down globally for a while.
Microsoft said at the time that desktop OneDrive clients were not affected, BleepingComputer reported.