Thomas Truchel | photothic | Getty Images
In early June, intermittent and serious service disruptions hit Microsoft’s core office suite – including Outlook email and OneDrive file-sharing applications – and its cloud computing platform. A shadowy hacking group has claimed responsibility, saying it flooded sites with unwanted traffic in distributed denial-of-service attacks.
Initially, Microsoft was reticent in identifying the cause, and has now revealed that DDoS attacks by a mysterious upstart were indeed the cause.
But the software giant provided few details – and did not comment on the scale of the attacks. It did not say how many customers were affected or describe the attackers, which it called Storm-1359. A group calling itself Anonymous Sudan claimed responsibility on their Telegram channel on social media at the time. Some security researchers believe the group is Russian.
Microsoft’s explanation came in a blog post Friday night after a request from the Associated Press two days earlier. Elaborating on the details, the post said the attacks had “temporarily affected the availability” of some services. It said the attackers focused on “disruption and propaganda” and likely used rented cloud infrastructure and virtual private networks to bombard Microsoft’s servers from so-called botnets around the world.
Microsoft said there was no evidence that any customer data had been accessed or compromised.
While DDoS attacks are essentially a nuisance – making websites inaccessible without being hacked – security experts say they could disrupt the work of millions if they succeed in boycotting the services of software giants such as Microsoft on which much of the world’s trade depends.
It is not clear if this is what happened here.
“We really have no way of measuring the impact if Microsoft doesn’t provide this information,” said Jake Williams, a senior cybersecurity researcher and former offensive hacker with the National Security Agency. Williams said he wasn’t aware Outlook had been attacked on this scale previously.
“We know that some resources were inaccessible to some, but not to others. This often happens with DDoS for globally distributed systems,” Williams added. He said Microsoft’s apparent unwillingness to provide an objective measure of customer impact “may be talking about volume.”
As for the identity of Storm-1359, Williams said he doesn’t think Microsoft knows yet. That wouldn’t be unusual. Cybersecurity spying tends to take some time – and even then it can be a challenge if the adversary is skilled.
Pro-Russian hacking groups including Killnet — which cybersecurity firm Mandiant says are affiliated with the Kremlin — have bombarded the government and other websites of Ukraine’s allies with DDoS attacks. In October, some locations of American airfields were bombed.
The Microsoft incident highlights how DDoS attacks remain “a huge risk that we all agree to avoid talking about. It’s not controversial to call it an unsolved problem,” said Edward Amoruso, a professor at New York University and CEO of TAG Cyber.
He said Microsoft’s difficulties in countering this particular attack indicated a “single point of failure”. The best defense against these attacks is to distribute a service widely, on a content distribution network for example.
British security researcher Kevin Beaumont said the methods used by the attackers are not outdated. “One of them dates back to 2009,” he said.
Serious impacts from the Microsoft 365 Office suite outages were reported on Monday, June 5, peaking at 18,000 outages and issues reported on the Downdetector shortly after 11 a.m. ET.
On Twitter that day, Microsoft said Outlook, Microsoft Teams, SharePoint Online, and OneDrive for Business were affected.
The attacks continued throughout the week, with Microsoft confirming on June 9 that its Azure cloud computing platform had been affected.
On June 8, computer security news site BleepingComputer.com reported that cloud-based OneDrive file hosting has been down globally for some time.
Microsoft said at the time that OneDrive desktop customers were not affected, BleepingComputer reported.
“Devoted student. Bacon advocate. Beer scholar. Troublemaker. Falls down a lot. Typical coffee enthusiast.”