Anonymous Sudan: neither anonymous nor Sudanese

Microsoft Outlook, UPS, and Scandinavian Airlines all fell victim recently to attacks by the group known as Anonymous Sudan. However, experts we’ve spoken to believe the group is most likely a pro-Kremlin pet project for spreading a pro-Russian agenda.

Anonymous Sudan has been difficult to avoid recently. The group’s successful distributed denial-of-service (DDoS) attacks disrupted the website of Scandinavian Airlines (SAS) and even took down Microsoft 365 software suite, including Teams and Outlook.

While the gang is supposedly an anti-Western pro-Islam hacker collective, the group’s origins and modus operandi strongly point to Anonymous Sudan being a “Made in Russia” project with the kind of solid financial backing that regular hacktivists can seldom afford.

“KillNet are likely running this for someone else who is paying them. Since everything Anonymous Sudan does seems to fit the Kremlin’s narrative, we assume that it comes from Russia and is [supported by] someone in the Russian government, or at least someone in the sphere around the Russian leadership,” Mattias Wåhlén, a threat intelligence expert at Truesec told Cybernews.

Anonymous Sudan Killnet EU bank attacks
Anonymous Sudan's message on joining with Killnet for an attack. Image by Cybernews.

Where did Anonymous Sudan come from?

Anonymous Sudan surfaced as a Russian-speaking Telegram channel in mid-January of this year. The gang took the moniker of a 2019 hacking operation by the original Anonymous collective, whose members quickly distanced themselves from the newcomer.

Initially, the group tried to capitalize on the furor surrounding instances of desecrating the Quran, which would fit the narrative of outraged hacktivists from a primarily Muslim country.

However, there’s also no provable link between Anonymous Sudan and the country of Sudan, Jeffrey Bardin, the chief intelligence officer at Treadstone 71, told Cybernews. The supposedly pro-Sudanese group’s posts mainly started in Russian and English, adopting Arabic only later.

“They align with Russia and will not attack any Russian site even though the Quran has been burned inside Russia. They attack anyone that has a Quran burning in their country as long as it is the West or Israel. All others get a pass,” Bardin explained.

Meanwhile, Wåhlén pointed to the group's instant love affair with Killnet, another pro-Russian DDoS group, whose leader openly said he’ll be taking money for attacks that “defend the interests of the Russian Federation.”

“They align with Russia and will not attack any Russian site even though the Quran has been burned inside Russia.”

Bardin said.

Is Anonymous Sudan tied to Killnet?

Killnet’s ties with Anonymous Sudan are hard to ignore. For one, both groups target organizations in the West – Killnet under the guise of defending Russia and Anonymous Sudan to fend off Western imperialism.

In mid-June this year, both groups and the now-defunct Russian ransomware gang REvil established “Darknet Parliament” to coordinate attacks. Conveniently, Sudan and Moscow are in the same time zone.

“They are obviously tied to this Russian group, Killnet. They’re not part of Killnet as such, but someone has probably paid Killnet to do the DDoS part of this, and I assume that they have found someone to help do the messaging,” Wåhlén said.

For example, Anonymous Sudan started using Arabic only after researchers noted that a gang identifying with an Islamic country converse mostly in Russian. The group deleted older posts to cover their tracks and started posting in school-taught Arabic, adopting the Sudanese dialect only later.

“[Their messaging] started in Russian, and they just changed it after Truesec wrote a report saying it was strange that they only communicated in Russian. Even if they now communicate in Arabic, it’s obvious that there are still Russians behind it. Anonymous Sudan hasn’t said that those who started the channel are gone or “that wasn’t us.” Another thing is that what they say very much fits a Russian narrative,” Wåhlén said.

How does Anonymous Sudan attack?

The group primarily employs DDoS attacks against “soft targets” without revealing their techniques, Bardin explained. All available data points to Anonymous Sudan relying on layer four attacks, known as SYN flood attacks in the industry.

“The client sends a SYN packet, the server responds with a SYN ACK, and the client responds to that with an ACK. […] In a SYN flood attack, the attacker sends many SYN packets but never sends the final ACK packet,” Bardin said.

To oversimplify, the attackers overwhelm the victim’s server with a vast number of incomplete requests. While the server is waiting to fulfill the requests, it cannot respond to legitimate queries, which makes a certain service or a website slow and, in worse cases – unresponsive.

It’s unlikely that Anonymous Sudan owns any of the numerous devices necessary to launch a large-scale DDoS attack. However, that’s not a problem as there are many service providers on the dark web who target whoever that client pays to attack. That’s where Anonymous Sudan differs from other hacktivist groups.

The collective employs HTTP-based DDoS attacks. While they are much more efficient than traditional volumetric DDoS attacks, they’re also much more expensive and not frequently used by hacktivists using crowdfunding or internal resources to finance their activities.

“Anonymous Sudan are conducting quite expensive DDoS attacks. They appear to have large funds available. Someone is paying them. I seriously doubt they operate on donations from Sudan. My guess is it’s someone who is supporting the Russian agenda. Maybe FSB or some oligarch. I don’t know, but that’s my guess,” Wåhlén said.

“Anonymous Sudan are conducting quite expensive DDoS attacks. They appear to have large funds available. Someone is paying them. I seriously doubt they operate on donations from Sudan.”

Wåhlén said.

Who’s behind Anonymous Sudan?

The short answer is that apart from the people behind Anonymous Sudan, nobody really knows. However, since the Anonymous collective distanced itself from the group and there’s no actual link between the state of Sudan and the group, it seems the gang’s name serves more as a distraction than something indicative of its intentions.

The fact that the gang started posting in Russian and closely coordinated with Killnet and its leader Killmilk, points to some overlap between the two. Not that either group would avoid public connections, with recent comments on the “Darknet parliament” suggesting an alliance between the two.

A recent study by cybersecurity firm CyberCX states that the way Anonymous Sudan operates, communicates, and who it affiliates with points to the group being linked with the Russian state — the supposed hacktivism of the group serving as a convenient smokescreen to disrupt Western organizations.

Or, in other words, “if it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck.”