Anonymous Sudan, a threat actor group that emerged in January 2023, has been making headlines with its global cyberattacks. The group has targeted a wide range of countries and sectors, including Sweden, the Netherlands, Denmark, Australia, France, Israel, Germany, the UAE, the US, and Iran. Their targets span across critical infrastructure and numerous global sectors including financial services, aviation, education, healthcare, software, and government entities.

The group has been tracked by Microsoft under the name “Storm-1359” and has claimed responsibility for several high-profile DDoS attacks. The group’s tactics, techniques, and procedures (TTPs) during these attacks have included:

  • HTTP(S) flood attack: This aims to exhaust system resources with a high load of SSL/TLS handshakes and HTTP(S) request processing.
  • Cache bypass: This attempts to bypass the CDN layer and can result in overloading the origin servers.
  • Slowloris: In this attack, the client opens a connection to a web server, requests a resource (e.g., an image), and then fails to acknowledge the download (or accepts it slowly). This forces the web server to keep the connection open and the requested resource in memory.

Anonymous Sudan has claimed an affiliation with the pro-Russian hacktivist collective Killnet, which was confirmed in February 2023. However, the extent of this affiliation is still under investigation. Evidence suggests that Anonymous Sudan may be state-sponsored Russian actors masquerading as Sudanese actors with Islamist motivations. This is seen as a cover for their actions against Western (or Western-aligned) entities. The use of social media or public-facing accounts under the “hacktivist” banner is consistent with previous TTPs employed by Russian state-sponsored adversaries.

Despite its name, it appears that the group has no actual connections to the country of Sudan (nor any connection to the previous Anonymous group operating in Sudan). The group has posted in English, Russian, and more recently Arabic, across their online channels. Their attacks have often been in response to perceived offenses against Islam, such as when they attacked numerous Scandinavian entities after Rasmus Paludan, a Danish-Swedish politician, organized an anti-Islam protest in front of the Turkish Embassy in Sweden during which he burned a copy of the Quran.

The group communicates primarily through its official Telegram channel, where they announce their targets and claim responsibility for attacks. The user location for their Telegram channel is listed as Russia, further suggesting a connection to Russian actors.

Sources:

For a more detailed timeline of Anonymous Sudan’s recent DDoS attacks and claims, you can refer to the Flashpoint article.

Additional Sources:

  1. Truesec – Threat Intelligence Report about “Anonymous Sudan”
  2. SOCRadar – Dark Web Profile: KillNet Anonymous Sudan
  3. Malpedia – Anonymous Sudan