Anonymous Sudan has been active since January 2023, making consistent headlines. To date, Anonymous Sudan’s DDoS attacks have targeted Sweden, Netherlands, Denmark, Australia, France, Israel, Germany, UAE, the US, and even Iran – while affecting critical infrastructure and numerous global sectors.
These include financial services, aviation, education, healthcare, software, and government entities. Recently, even Microsoft announced that it had fallen victim to DDoS attacks executed by Anonymous Sudan.
Since its inception, there has been speculation as to the origins, ideologies, and motivations of Anonymous Sudan. They have posted in English, Russian, and more recently Arabic, across their online channels. However, in spite of its name, it appears that the group has no actual connections to the country of Sudan.
So, who is behind Anonymous Sudan?
Where Does Anonymous Sudan Come From?
Evidence relating to the provenance of Anonymous Sudan suggests an affiliation with the pro-Russian hacktivist collective Killnet, which it confirmed in February 2023. However, that affiliation is still being evaluated. Evidence also suggests that Anonymous Sudan is likely state-sponsored Russian actors masquerading as Sudanese nations with Islamist motivations, as cover for their actions against Western (or Western-aligned) entities.
Similarly to all other areas of offensive cyber, state-sponsored attacks are more sophisticated and employ more resources, thus cease to be insured – as we’ve reported previously. Lloyd’s, one of the leading global insurance companies, announced earlier this year that it will exclude liability for losses arising from any state-backed cyberattack.
Anonymous Sudan’s selective targeting of countries for attacks based on whether or not they have “burned the Quran”, for example, is puzzling. They will attack Western or Israeli countries but they will not attack Russia, even though the Quran has been burned there as well, or China were Muslim minorities have been persecuted. This suggests that the group’s motivations are not entirely religious, but may also be political.
How Are They Funded?
Similar to Killnet, Anonymous Sudan has claimed disruptions to several high-profile victims, and the use of social media and public-facing accounts under the “hacktivist” banner is consistent with tactics employed by Russian state-sponsored adversaries. In February 2023, Anonymous Sudan confirmed its affiliation with Killnet, but given the nature of the group, one cannot be certain of anything they claim.
Anonymous Sudan is unlikely to own the many devices necessary to launch a large-scale DDoS attack. However, there are many DDoS-as-a-service providers who will target whoever their client pays them to attack. This is where Anonymous Sudan differs from other hacktivist groups: they conduct expensive DDoS attacks, which suggests they have large funds available, and these funds are unlikely to come from Sudan.
High-Profile DDoS Attacks
Since January, Anonymous Sudan has successfully attacked many high-profile organizations and governments. Here’s a quick recap:
In January, they attacked the governments of Sweden, the Netherlands, and Denmark. Later, in February they launched a large-scale attack against Air France.
Come March, they launched a multi-vectored and large-scale attack against Australian organizations, including healthcare, aviation, and education organizations, when a Melbourne fashion label featured the Arabic for “God” on garments.
In April, Anonymous Sudan spearheaded the #OpIsrael campaign, attacking Israeli organizations such as the Haifa Port, Israel Ports Development, the National Insurance Institute, and Mossad, Israel’s national intelligence agency, multiple banks, and more.
When May rolled in, they attacked several banks in the UAE, and later that month, they launched a successful and highly damaging attack on the website and mobile app of Scandinavian Airlines (SAS), knocking them offline, affecting all flight activities, and stranding passengers. This malicious attack included a ransom demand, and it is unclear if the ransom was paid.
In June of 2023, Anonymous Sudan attacked Microsoft, which eventually confirmed the attack on June 16. The high-profile attack caused outages and disruptions to multiple Microsoft products and services, including Azure, Outlook, and more.
Later in June, they claimed to have attacked the SWIFT payment system in collaboration with KillNet, and the European Investment Bank, which indeed confirmed the DDoS attack. All of these attacks, and more, are detailed in our monthly attack roundups.
How to Defend Against Anonymous Sudan?
There’s no doubt that Anonymous Sudan has become one of the leading DDoS threat actors of 2023, as they seem to be the most vocal and successful attacker group around. Organizations must take into account that whenever Anonymous Sudan posts a threat to attack, they usually succeed – which is evidence that the only reason these DDoS attacks succeed is that the victim’s DDoS protection was vulnerable.
Organizations must prioritize their DDoS security, especially after CISA, the Cybersecurity & Infrastructure Security Agency, issued an official warning regarding targeted DDoS attacks against multiple organizations in multiple sectors. CISA highly recommends performing testing of your DDoS protection on a regular basis to quickly identify vulnerabilities and avoid a damaging DDoS attack. Organizations can adopt CISA’s recommendations for DDoS security, validate their DDoS protection, and achieve true DDoS resilience with RADAR™.
