Microsoft Reports Service Impact Due to Technical Glitch
Hacktivist group Anonymous Sudan announced cyberattacks on American organizations on May 5, 2023. These DDoS attacks were claimed to be targeted against several US entities in Healthcare, and Microsoft Corporation in particular. These attacks continued on May 6, 2023 as well.
As observed in most hacktivism-related incidents, such backlashes are based on misconstrued events in the geo-political space. Herein too, Anonymous Sudan misinterpreted the US Secretary of State, Antony J. Blinken’s statement to reporters about “looking at steps that we can take to make clear our views on any leaders who are moving Sudan in the wrong direction, including by perpetuating the violence and by violating ceasefires that they’ve actually committed to”, as remarking an invasion on Sudan.
Figure 1: Anonymous Sudan reasons political remarks for targeting US entities
Chain of Events
Cyble Research & Intelligence Labs observed on May 5, 2023, a spike in activities of Anonymous Sudan against US Healthcare services after claiming to launch a DDoS attack on the US mobility service provider on May 2, 2023, for two hours. The group threatened to continue these attacks on the US companies, if the US government planned a military action in Sudan. The hacktivists alleged an attack on five US hospitals for over an hour.
Subsequently, Anonymous Sudan claimed to launch DDoS attacks targeting Microsoft Corporation. The group, on their Telegram channel, claimed with several screenshots to target Outlook, Teams, SharePoint Online, OneDrive for Business, and other Office365 services at about 1400 hr. UTC.
Figure 2: Threads from the group’s Telegram channel with claims to disrupt Microsoft services
The services experienced an intermittent downtime of more than four hours. We also observed Twittizens reporting about the unavailability of Microsoft services.
Microsoft issued investigation alerts EX571516 regarding updates pertaining to Exchange and Outlook on the web, and MO571683 for Microsoft Teams, SharePoint Online, and OneDrive for Business on the same day.
In response to Microsoft’s alerts, the group resumed their attacks claiming that it was not a technical glitch and was resultant of their DDoS attacks. Following these attacks, the threat actors also demanded USD 1 million to cease and prevent further DDoS attacks. Also, they threatened to attack again on June 6, 2023.
Figure 3: DDoS-Extortion attempt by the group
Anonymous Sudan on June 6, 2023, claimed to compromise Microsoft’s systems and allegedly stole more than 30 million customers’ data. They announced a third wave of attack on Microsoft at about 0800 hrs UTC.
Figure 4: Follow-up attacks on Microsoft services and extortion attempt
The group is observed to endorse application layer DDoS botnets, SkyNet (t.me/xSkynet) and Godzilla-Botnet (t.me/xGodzillAxNewSxPoweRxProofs). They also claimed to have tested the botnets and had positive results on the targets.
Commonly, the application layer DDoS attacks are used to target user-facing applications and networks. These malicious attacks target application layer protocols with the intention of disrupting services and can go undetected by traditional defense systems. Some of the common techniques include request floods, application vulnerability exploitation, application-specific attacks such as XML-RPC floods, and zero-day vulnerability.
Assailed Scandinavian Airlines
Last month, on May 24, 2023, the hacktivist group targeted Sweden-based Scandinavian Airlines, SAS in a series of DDoS attacks, causing interruption to their web and mobile application services for several hours. The same was also acknowledged by the airlines.
They even attempted to extort them by demanding USD3500 to withdraw from the attacks. The amount was later escalated to USD 175,000. These are unusual demands not observed among hacktivist groups and indicate a shift towards DDoS-Extortion methods for gaining publicity and pecuniary advantages.