Anonymous Sudan has emerged and made its presence known
Anonymous Sudan has emerged as a prominent and active group since January, gaining significant attention worldwide. It has been responsible for a series of attacks targeting various countries such as Sweden, Netherlands, Denmark, Australia, France, Israel, Germany, UAE, the US, and Iran. These attacks have focused on critical infrastructure and affected multiple sectors including financial services, aviation, education, healthcare, software, and government entities.
Microsoft, a major technology company, recently disclosed that it had experienced Distributed Denial of Service (DDoS) attacks carried out by a threat actor group known as “Storm-1359.” Based on the company’s intelligence, it is highly likely that this group corresponds to Anonymous Sudan.
However, despite the knowledge gained so far, there are still many unanswered questions surrounding Anonymous Sudan. The group remains shrouded in mystery, and its motivations, members, and specific capabilities are not yet fully understood. Ongoing investigations and intelligence efforts aim to shed more light on this adversary group responsible for several significant DDoS attacks on a global scale.
Uncertain connections to Killnet
According to available evidence, there are indications that Anonymous Sudan has established links to the pro-Russian hacktivist collective known as Killnet. This affiliation was reportedly confirmed by Anonymous Sudan themselves in February 2023. However, the extent of this connection is still under evaluation. Furthermore, the evidence suggests that Anonymous Sudan may be Russian state-sponsored actors posing as Sudanese actors with Islamist motivations, using this disguise as a cover for their activities against Western or Western-aligned entities.
Despite attempts by Anonymous Sudan to obscure their identity and affiliations through official channels, their use of social media and public-facing accounts under the guise of “hacktivists” aligns with the tactics, techniques, and procedures previously observed in Russian state-sponsored adversaries. Similar to Killnet, Anonymous Sudan has claimed responsibility for disrupting numerous high-profile targets.
Semblance of Islamist ideologies
There has been ongoing speculation regarding the origins, ideologies, and motives of Anonymous Sudan since its establishment. The group has utilized multiple languages such as English, Russian, and more recently Arabic in their online communications. Despite its name, it appears that the group has no genuine ties to Sudan, nor any association with the previous Anonymous group that operated within the country.
A notable incident that highlights this lack of connection to Sudan occurred in Sweden. Anonymous Sudan targeted various Scandinavian entities following an anti-Islam demonstration organized by Rasmus Paludan, a Danish-Swedish politician. During this protest on January 22, Paludan burned a copy of the Quran in front of the Turkish Embassy in Sweden. This incident further complicates the understanding of Anonymous Sudan’s origins and motivations.
Reports emerged suggesting the involvement of a Russian state-sponsored journalist in orchestrating the Quran burning as a means to incite anti-Muslim sentiments. The alleged objective behind this act was to undermine Sweden’s NATO bid in the eyes of Turkey, thereby reducing the likelihood of its success. The journalist, said to be sponsored by the Kremlin, carried out the Quran burning as part of a deliberate effort to generate more anti-Muslim sentiments within Scandinavia.
Anonymous Sudan TTPs: Details of Microsoft attack
Microsoft said it had observed the threat group “launching several types of layer 7 DDoS attack traffic,” including:
- HTTP(S) flood attack, which “aims to exhaust the system resources with a high load of SSL/TLS handshakes and HTTP(S) requests processing.”
- Cache bypass, which “attempts to bypass the CDN layer and can result in overloading the origin servers.”
- Slowloris, “where the client opens a connection to a web server, requests a resource (e.g., an image), and then fails to acknowledge the download (or accepts it slowly). This forces the web server to keep the connection open and the requested resource in memory.”
Timeline: Anonymous Sudan DDoS attacks, claims, and developments
The following is a detailed timeline of the claimed and confirmed attacks by Anonymous Sudan. It should be noted that Anonymous Sudan has made statements on their official channels regarding their targeting of specific entities. However, they may claim responsibility for an attack without presenting any supporting evidence. This pattern was observed when Canada, the Netherlands, and Germany became the focus of Anonymous Sudan’s actions. The timeline of these events is outlined below:
Here is a timeline of some of Anonymous Sudan’s recent DDoS attacks and claims:
- January 23 – February 22: Claims attacks on Sweden in response to the Rasmus Paludan’s actions
- January 27: Claims attacks on the Netherlands also in response to Paludan
- February 22: Claims attacks on Denmark in response to Rasmus Paludan.
- March 15 – 22: Anonymous Sudan targets France, attacking Air France.
- March 24 – April 2: Attacks Australian companies, including healthcare, aviation, and education organizations, when a Melbourne fashion label featured the Arabic for “God” on garments.
- April 26: On Israeli Independence Day, Anonymous Sudan claims to have conducted DDoS attacks on Israeli Prime Minister Benjamin Netanyahu’s website, making it inaccessible, and to have hacked Netanyahu’s Facebook account. Multiple reports also linked the group to attacks on the websites of the Haifa Port, Israel Ports Development, the National Insurance Institute, and the Mossad, Israel’s national intelligence agency.
- April 29: Anonymous Sudan announces plan to attack German entities after they post of an alleged “kidnapping” that took place by German authorities against a child. Canada is also mentioned as a target due to a similar video of a Muslim man being arrested in front of his family. The extent of these attacks remain unclear.
- May 2: Anonymous Sudan claimed that they compromised and temporarily disarmed Israel’s Iron Dome, its missile defense system, although this remains unconfirmed by the Israeli government. The cyberattack reportedly allowed 16 rockets fired from Gaza to enter Israeli territory, which, according to Israeli Army Radio and the, gave the Iron Dome a success rate of between 71%, compared to its usual 90-95%.
- May 5: Anonymous Sudan shares screenshots of eight websites belonging to official United Arab Emirates (UAE) domains. Shortly thereafter, several Emirati banks were allegedly attacked.
- May 24: Anonymous Sudan breaches the website and mobile app of Scandinavian Airlines (SAS), knocking them offline, affecting all flight activities and stranding passengers. This was the second round of attacks to impact Sweden.
- June 5: Anonymous Sudan announces they will attack Microsoft, which eventually confirmed the attack on June 16. The high-profile attack caused outages and disruptions to multiple Microsoft products and services, although the software giant said it had “seen no evidence that customer data has been accessed or compromised.”
- June 14: Anonymous Sudan posted on its official Telegram channel that Russian-language hackers announced a “massive attack” on European and US financial institutions within the next 48 hours. The group claimed it would attack the SWIFT payment system in collaboration with KillNet and the Russian cybercriminal group REvil to protest the West’s financial and military support of Ukraine.
- June 16: Killnet posts on its Telegram channel a series of Western financial systems it allegedly began targeting, although each of them remain operational as of this publishing.
- June 19: Anonymous Sudan announces it has attacked the European Investment Bank, which confirmed the DDoS attack.
To mitigate the risks posed by Anonymous Sudan and similar cyber threats, it is crucial to enhance cybersecurity measures by implementing strong security infrastructure, including robust firewalls, intrusion detection systems, and antivirus software. Multi-factor authentication and regular security assessments should be employed to strengthen access controls and identify vulnerabilities. Employee training and awareness programs are important in combating social engineering attacks. Monitoring online channels for potential threats and sharing threat intelligence contribute to proactive defense. Developing a robust incident response plan, engaging cybersecurity experts, and fostering international cooperation are essential. Regular data backups and staying updated with the evolving threat landscape should be prioritized. Additionally, implementing DDoS protection measures, such as traffic filtering and load balancing, helps safeguard against disruptive DDoS attacks.
