Weeks after suspected Russia-linked hacktivists disrupted key Microsoft services, including Azure and OneDrive, U.S. authorities are warning organizations about potential new threats involving distributed denial of service attacks.
The Cybersecurity and Infrastructure Security Agency in late June urged organizations to monitor their systems to determine whether outages were related to maintenance or, potentially, deliberate attacks.
Security experts told Cybersecurity Dive that Anonymous Sudan, the threat group behind the Microsoft attacks, posted specific threat claims, warning it had disrupted a major financial services firm and a U.S. government system.
The hackers claim to have targeted payments firm Stripe and the Treasury Department’s Electronic Federal Tax Payment System, according to documents provided by Emsisoft Threat Analyst Brett Callow.
Stripe reported customers were unable to access the company dashboard on June 30, according to social media posts from the firm. The issue involved elevated rate limit errors on the Stripe API.
Researchers at Cyberint on Monday said Anonymous Sudan claims to have also taken down Reddit’s subpages for two hours.
“CISA will continue to raise awareness by issuing alerts and advisories when appropriate about DDoS risks given the continued prevalence of these events affecting many organizations nationwide,” a CISA official told Cybersecurity Dive.
As previously reported, Microsoft security researchers said the DDoS attacks involved multiple virtual private servers, rented cloud infrastructure, open proxies and DDoS tools. The recent DDoS attacks against Microsoft also targeted Layer 7 rather than Layer 3 or 4, making them more stealthy and harder to detect.
L7 attacks target elements of an application’s server infrastructure, while L3 or L4 attacks target the network and transport layers.
Researchers from Truesec said some Russia-linked hacktivists have been reaching out to Islamic online activist groups in order to influence them into a more anti-NATO stance.
“Someone is very likely paying for all this disruption, as conducting DDoS attacks cost money,” Mattias Wåhlén, a threat intelligence expert at Truesec, said via email. “Most DDoS attacks are conducted by criminals that set up infrastructure for DDoS attacks and then rent this capacity to other criminals and online activists who pay them to target victims of their choice.”
Officials at Reddit, Stripe and the Treasury Department were not immediately available for comment.