Cyber Incident Victim: U.S. Treasury Department's Electronic Federal Tax Payment System

On or around June 30, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a formal warning regarding a series of ongoing distributed denial-of-service (DDoS) attacks targeting multiple U.S. organizations across various industry sectors. These attacks were designed to disrupt online services by overwhelming them with malicious traffic, rendering them inaccessible to legitimate users. CISA advised all U.S. organizations to take proactive measures to prepare their security teams to either thwart or mitigate the effects of such disruptive incidents. The agency emphasized the importance of network administrators being prepared to quickly implement defensive actions, such as applying specific firewall rules or redirecting incoming malicious traffic through dedicated denial-of-service protection services. This preparedness was highlighted as a critical step in preventing attackers from successfully taking down targeted online portals or essential services. CISA also noted that internet service providers could serve as a valuable resource, offering guidance on the appropriate steps to take when under such an attack.

The cybersecurity agency publicly stated it was aware of open-source reports detailing these targeted denial-of-service and distributed denial-of-service attacks. The impact of these incidents was significant, potentially costing affected organizations substantial time and money to respond and recover. Furthermore, CISA pointed out that the inaccessibility of critical resources and services could impose severe reputational costs on the victimized entities. In its advisory, CISA, working in collaboration with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), provided comprehensive guidance on recommended actions for organizations to take both before and after a DDoS attack occurs. A key preparatory measure included enrolling in dedicated DDoS protection services, which are designed to identify and reroute malicious traffic away from the targeted assets, thereby preserving availability.

For federal civilian executive branch agencies, CISA provided additional, specific recommendations to counter these threats. These agencies were advised to leverage tools provided by the General Services Administration, such as the Managed Security Service and the Managed Trusted Internet Protocol Service. Utilizing these services was presented as a method to more effectively counteract the effects of DDoS attacks and assist in the swift restoration of operations for any impacted systems. While CISA's warning did not initially attribute the attacks or provide extensive context, the timing coincided with a public wave of DDoS incidents claimed by a threat actor known as Anonymous Sudan. This group, which Microsoft tracks under the identifier Storm-1359, has been active in claiming responsibility for numerous high-profile outages.

Among the specific targets claimed by Anonymous Sudan was the website for EFTPS.gov, which is the official Electronic Federal Tax Payment System operated by the U.S. Department of the Treasury. The threat group announced this attack through their Telegram channel, and the claim was subsequently verified by independent cybersecurity news outlets. BleepingComputer confirmed that the EFTPS.gov website was indeed inaccessible and experiencing downtime at the precise time the attack was claimed by Anonymous Sudan. This disruption potentially impeded the ability of individuals and businesses to electronically submit federal tax payments, representing a direct attack on a critical financial infrastructure component of the U.S. government. In addition to the Treasury Department, Anonymous Sudan also claimed responsibility for a successful DDoS attack that took down the website of the U.S. Department of Commerce.

The scope of the attacks extended beyond government entities into the private sector. On the same day CISA issued its warning, Anonymous Sudan claimed another DDoS attack, this time targeting the online dashboard of Stripe, a major financial services and software as a service company. This dashboard is used by businesses to manage payments, process refunds, and handle various operational tasks. An attack on such a platform could cause widespread disruption for countless businesses that rely on it for their daily financial transactions. This incident was not an isolated event but part of a broader campaign of disruptive activity attributed to this single threat actor. Earlier in the same month of June, Microsoft confirmed that a series of outages affecting its widely used Outlook, OneDrive, and Azure web portals were the direct result of DDoS attacks that had been claimed at the time by Anonymous Sudan.

The activity of Anonymous Sudan appears to have begun escalating in May 2023, marking the start of a sustained campaign targeting large organizations on a global scale. Prior to the incidents in late June, the group had claimed attacks against a diverse array of high-profile companies. Scandinavian Airlines (SAS), a major airline carrier, was reportedly targeted, potentially disrupting flight bookings and operational systems. The popular dating application Tinder and the ride-sharing service Lyft were also named as victims in the group's claims, attacks which could have affected millions of users. Perhaps most concerningly, the group also claimed to have targeted various hospitals across the United States. Attacks on healthcare institutions pose a direct threat to patient care and safety by potentially crippling critical systems needed for medical services, appointment scheduling, and access to patient records.

The motivation behind these attacks and the true identity of Anonymous Sudan remain subjects of analysis within the cybersecurity community. The group's name suggests a connection to Sudan, but Microsoft's designation of the actor as Storm-1359 aligns with its meteor-themed naming convention for threat groups. Some cybersecurity researchers have assessed that the group might have links to Russia, though this is not confirmed by official U.S. government sources in the provided information. The primary tactic employed in these incidents is the distributed denial-of-service attack, a method that does not typically involve breaching security perimeters or stealing data but is instead focused solely on causing service disruption and downtime. The widespread nature of the targets, spanning government, finance, technology, healthcare, and transportation, indicates a broad campaign intended to cause maximum disruption and attract significant media and public attention. The incident involving EFTPS.gov is therefore a single component of a much larger and ongoing pattern of disruptive cyber activity targeting critical infrastructure and essential services in the United States and abroad during this period.