- Table of contents
The Cyberint Research Team work round the clock to unearth the latest threats to SMBs and enterprises. They are on top of the latest TTPs and monitor rising threat groups, malwares and trends.
Table of contents
Behind the Mask of Anonymous Sudan: An Analysis
Originally Published: August 9 2023
Anonymous Sudan is a rapidly expanding and influential group of hacktivists that identify themselves as Sudanese, motivated by both religious and political beliefs. Since January 2023, they have been carrying out distributed denial-of-service (DoS) attacks, allegedly motivated by defending Islam against Western nations. These attacks have disrupted critical infrastructure and various global sectors, including finance and healthcare.
The Cyberint Research Team has been closely monitoring the group’s activities since their inception, as this unique threat actor group conducted over 670 attacks in the first 6 months of its activity, demonstrating impressive capabilities. Notably, Anonymous Sudan gained attention for their high-profile attacks, including successfully attacking Microsoft’s Outlook service, drawing worldwide scrutiny.
Distinct from solitary threat groups, Anonymous Sudan has established intriguing connections with other threat actors, raising further concerns.
In December 2023 Cyberint detected that Anonymous Sudan claimed responsibility for disrupting the Discord login page in collaboration with SKYNET and GodzillaBotnet. This action stands among a series of recent collaborative attacks the groups executed.
Anonymous Sudan has targeted many countries over the past six months. Most of the attacks took place in Sweden, Israel, the U.S., Denmark, France, Australia, Netherlands, UAE, and more. These attacks have impacted critical infrastructures and diverse global sectors, including financial services, transportation, education, healthcare, software, and government entities. Among the big names Anonymous Sudan was able to attack are Microsoft, Twitter, PayPal, Scandinavian Airlines, and big banks including the Bank of America.
Since first arriving on the scene, the group has carried out more than 670 attacks. Although the group has consistently targeted countries, such as Israel and the United States from the outset, it does tend to adopt a “blitz” approach when it attacks. In other words, the group usually initiates a concentrated series of attacks on multiple interfaces related to the targeted country it is focusing on at the time.
In many cases, the group points to a recent event in the targeted country as the reason for its attacks.
Anonymous Sudan Attack Analysis
The Cyberint research team has closely monitored and tracked the activities of Anonymous Sudan to analyze its methods, observe emerging trends, and uncover operational patterns. Below are the key findings of Anonymous Sudan’s victim analysis:
Upon analyzing the group’s activity, we observed that since its inception, its most active months, in terms of the number of attacks, were February (shortly after the group’s establishment) and April. A plausible explanation for this pattern could be that during its early stages, the group sought to draw attention to its actions and begun with a flurry of activity.
During the month of April, as part of its “OpIsrael” campaign, Anonymous Sudan launched over 70 attacks on Israeli targets, resulting in a significant surge in activity and victim count during that particular period.
This section of the report also provides a detailed breakdown of the group’s targeted countries on a monthly basis. As previously mentioned, the analysis reveals a distinct pattern where the group tends to launch concentrated blitz attacks on specific countries, investing considerable time and effort in these attacks. This strategy has garnered significant attention from both the media and the cybersecurity community due to its intensity and impact.
Moreover, it’sevident that the group constantly targets certain countries, even if not as part of a blitz. Israel and the United States stand out as two of the most frequently revisited victims, with the United States experiencing attacks every month since the group’s inception.
Profiling the Victims
When we examined the victims targeted by Anonymous Sudan, analysis of their sectors and company sizes revealed interesting insights.
Firstly, the most targeted sectors were transportation, government, education, and healthcare. This trend can be attributed to several factors: These sectors tend to draw significant attention from the media, which could amplify the impact of the attacks. Additionally, targeting these areas may affect a large number of people, potentially increasing the group’s desired outcome. Another consideration could be the ease of executing successful Distributed Denial of Service (DDoS) attacks on interfaces within these sectors.
Upon examining the sizes and revenue of the victims targeted by Anonymous Sudan, we made an intriguing discovery. Rather than targeting large-scale enterprises, the group appears to focus on smaller entities, which might be perceived as more vulnerable and “easy” to attack. This tactic allows them to collect a significant number of victims and bolster their reputation as a powerful threat group.
While the group demonstrated its strong and surprising capabilities by successfully attacking renowned, well-secured organizations like Microsoft and the security company Checkpoint, which were previously considered almost untouchable from a security standpoint, it is important to note that these high-profile attacks are in the minority.
Anonymous Sudan has directed its attacks against various countries, including Sweden, Israel, and the United States, as well as other Western countries or nations perceived by the group as opposed to Islam or targets of their affiliated Russian threat actors group. Examining the most targeted countries reveals that Sweden is in top position, with over 24% of the attacks. Israel follows closely behind with 21%, while the United States comes in third with 10%. Denmark, France, Netherlands, and several others have also been subject to the group’s attacks.
The initial target of Anonymous Sudan also became the most heavily impacted victim of the group’s attacks. Sweden was the first country to experience the group’s coordinated attacks on multiple interfaces within the nation. These interfaces included critical institutions such as Sweden’s central bank, embassies, armed forces, and airport.
According to Anonymous Sudan’s own statements, their attack on Sweden was a response to the actions of a far-right activist, Rasmus Paludan, who holds dual Danish and Swedish citizenship. Paludan burned a copy of the Quran in Sweden on January 21, 2023, and declared his intention to continue such acts in Denmark, prompting the group to also target Denmark shortly thereafter.
However, it is important to note that there could be additional contributing factors leading to the substantial number of attacks on Sweden, which have surpassed 150 incidents.
Notably, Sweden had recently provided significant military aid to Ukraine, including advanced artillery and air defense weapons, amounting to hundreds of millions of dollars. This event could have triggered the attacks, given Anonymous Sudan’s strong connections with Russian groups, as we will discuss further in this report.
When analyzing all the victims in Sweden, it becomes evident that the group is primarily focused on attacking interfaces within the transportation, education, and government sectors. Among the notable attacks were Swedbank, Scandinavian Airlines (SAS), and big healthcare firms.
When analyzing the campaign targeting Sweden, we can see that the majority of attacks occurred in February. In addition, it seems that after April, the group stopped targeting Sweden and moved on to other countries.
Israel ranked as the second most targeted country by Anonymous Sudan, with over 70 attacks accounting for more than 20% of the total victims. While the OpIsrael campaign and a military operation received a significant proportion of the targeting last May, it appears that Anonymous Sudan has persistently attacked Israel nearly every month since the group’s inception. The primary motivation behind these repeated attacks, as the group stated, is the Israeli-Palestinian conflict.
In April, during the OpIsrael month, Anonymous Sudan conducted over 70 attacks on
Israeli interfaces. The OpIsrael campaign, which has come to be associated with April 7, usually takes place around that date. However, in recent years, Cyberint research has noticed that attacks now occur throughout the entire month of April.
Despite targeting Israel extensively during OpIsrael, and referring to April 7 in their statement, Anonymous Sudan has never used the “OpIsrael” hashtag, which is commonly used by hacktivist groups engaging in attacks on Israel during this period. This raises questions about whether they truly operate as a hacktivist group, especially considering their use of the “Anonymous” name without ever adhering to the standard “Op” hashtag typically associated with Anonymous’ actions and campaigns.
On May 9, 2023, Israel launched airstrikes on the Gaza Strip in response to a rocket attack by the Palestinian Islamic Jihad (PIJ). In retaliation, the PIJ launched multiple rocket barrages at Israel, resulting in air raid sirens being activated in several Israeli cities. This escalation led to a four-day military operation by Israel codenamed “Operation Shield and Arrow,” against the PIJ in the Gaza Strip.
During the military operation, Anonymous Sudan launched numerous attacks on Israeli interfaces in solidarity with the Palestinian cause. Israeli news sites were mainly targeted, and the group claimed to have attacked the Iron Dome and Israel’s electricity infrastructure. These claims were later proven to be false. Interestingly, Anonymous Sudan hinted at possible cooperation with forces in Gaza during these attacks.
After conducting a thorough analysis of the victims in Israel, it became clear that the group’s main focus was on attacking interfaces within the government, business services (primarily software companies), and the education sector. Among the targets were prominent Israeli banks, security companies like Check Point and Radware, well-known news sites, and major universities.
*The “entertainment” category primarily encompassed news sites targeted during Operation Shield and Arrow.
Israel – Hamas War
Anonymous Sudan has been very active during the war that began October 7th 2023. Here are some key moments so far:
- Anonymous Sudan posted in November that they have uncovered the identity of the person behind the Red Evils Israeli activist group and published their personal Telegram username and name. Additionally, they claim that this individual requested that Anonymous Sudan conduct a DDoS attack on their behalf.
- Anonymous Sudan, in collaboration with SKYNET and the GodzillaBotnet threat actor group, claimed responsibility for conducting a DDoS attack on ChatGPT. This resulted in the AI platform being inaccessible for about an hour on December 13th. The collective alleged that the motive behind the attack was the platform’s association with Israel, explicitly referencing Tal Broda, the Head of Research Platform at OpenAI, and his support in Israel through social media posts.
- The anonymous global movement created two websites that, with a press of a button, can target ransom Israeli targets. The website was free for all and encourages individuals from all over the world to take part in Anonymous campaigns. The websites are stored on two main IPs:
Anonymous also claimed that with these sites, people helped target several websites belonging to the Finance and Media sectors in Israel.
The United States is in third position among the countries most targeted by Anonymous Sudan. It is noteworthy that the US has been the only country to experience persistent attacks from Anonymous Sudan since the group’s emergence, with attacks being carried out American victims every month. The first attack on the US occurred on January 26, merely eight days after the group’s creation, with a significant first target – PayPal.
Anonymous Sudan publicly stated that their cyberattacks on the US were carried out in direct response to the US Secretary of State’s remarks, which hinted at the potential of an American invasion of Sudan.
The group asserted that their actions form part of an ongoing campaign targeting US companies and infrastructure. Moreover, they did not hide their additional motivation for the attacks, as they view the US as an adversary of Russia.
After conducting an in-depth analysis of the victims in the US, the Cyberint research team observed that the group’s primary focus was on attacking interfaces in the business services (mostly software companies), healthcare, and manufacturing sector.
Anonymous Sudan has consistently targeted significant entities in America, including companies like Microsoft, Azure, LinkedIn, Twitter, Reddit, Bank of America, American Express, as well as critical organizations such as the U.S. Department of Defense and the Department of Homeland Security. The list goes on, with numerous high-profile American global companies affected, and with the impact felt by not only Americans but by users worldwide.
The group’s ability to carry out successful attacks on such significant interfaces has attracted considerable attention. As these attacks gained widespread recognition, numerous people became aware of the group’s activities, and even Microsoft publicly acknowledged that they were among the victims of Anonymous Sudan’s attacks.
Additionally, the group claimed to possess a database of 30 million Microsoft users that they were willing to sell. However, Microsoft later refuted this claim, denying any data breach of that magnitude.
Another significant attack on a US company was directed at the popular fan fiction repository Archive of Our Own (Ao3). Although this attack is one of many by Anonymous Sudan on American companies, it is unique in some ways. Firstly, it stands out as one of the few instances where Anonymous Sudan demanded a ransom in return for ending the attack and vowed not to strike again.
Secondly, the group not only stated that the attack was part of their broader campaign against American companies and organizations, but also explicitly expressed opposition to what they perceived as “degeneracy” on the site, particularly LGBTQ+ and NSFW content. This marks the first time the group has cited such reasons for targeting a company and publicly declared its stance against the LGBTQ+ community. This statement is surprising for a hacktivist group that typically advocates for human rights and targets objectives that harm all humans indiscriminately.
Anonymous Sudan’s Origins and Affiliates: What Do We Know?
Anonymous Sudan’s authenticity as a hacktivist group is increasingly doubtful, given the sophisticated nature of their attacks, which undermines their assertion that they are a volunteer group from an economically challenged East African country. The significant financial resources behind their attacks raise suspicions of potential state sponsorship or backing from wealthy entities.
Notably, the group communicates in three main languages, namely English, Russian, and Arabic. However, the Cyberint research team has noticed that it took a month for Anonymous Sudan to publish a post in Arabic on their Telegram channel, shortly after security researchers started questioning their ideological affiliations. Such findings raise doubts about their actual origin and the reason behind the majority of their posts not being in the language they claim to be native to, especially as they address a primarily Muslim audience.
Connection To Russia
On January 25, shortly after the group’s inception, Anonymous Sudan joined forces in an attack with the Killnet threat actor group. Subsequently, on February 19, both groups publicly declared that Anonymous Sudan officially became a member of Killnet, while continuing to maintain its claim of operating with an Islamic agenda and originating from Sudan.
Furthermore, on June 14, both Anonymous Sudan and Killnet began collaborating with another Russian group, REvil, to carry out large-scale attacks.
Killnet and REvil are known as pro-Russian groups, with distinct attack patterns – Killnet specializing in DDoS attacks and REvil focusing on ransomware.
The fact that the group chooses to engage in this collaboration may point to motives beyond mere naive support and goodwill among the parties. This alliance likely allows the group to carry out more sophisticated and potent attacks by leveraging the assistance and effective capabilities of the other collaborating groups. Given that Anonymous Sudan’s primary modus operandi is DDoS attacks, the support from other groups attacking the same victims simultaneously can significantly boost the success of their attacks. Furthermore, this collaboration might suggest that Anonymous Sudan has been integral to a larger collective of Pro-Russian groups from the beginning.
Apart from their explicit cooperation, as publicly stated in their Telegram groups, several factors also suggest a potential link between Anonymous Sudan and other pro-Russian, suspected state-sponsored threat actors groups like Killnet and REvil. One is their shared preference for DDoS attacks as the primary method of attack. Furthermore, many of Anonymous Sudan’s Telegram posts are in Russian (with some in English), and their targets align with nations supporting Ukraine in its conflict with Russia, indicating a possible Russian connection.
However, the Cyberint research team made an important observation: While Anonymous Sudan targets countries supporting Ukraine, they have never engaged in direct attacks against Ukraine itself. This strategic approach may be an effort to maintain their claim of not being related to Russia, and are not operating on behalf of Russian interests.
Despite the group’s persistent insistence on its Sudanese origin, the geolocation of their Telegram group was traced to Russia. Additionally, while the group’s activity appears to align with Sudanese time (UTC-3), it’s essential to note that this time zone also covers Eastern Europe, including Moscow.
From the Cyberint research team’s perspective, the potential connection between Anonymous Sudan and Russia can be explored using two hypotheses.
One suggests that Anonymous Sudan is and has always been part of Killnet, potentially involving members from Eastern Europe alongside other threat actors supporting a Muslim agenda with similar objectives.
The second hypothesis proposes that Anonymous Sudan could be a state-sponsored Russian group adopting a Sudanese identity, and utilizing Islamist motivations as a cover for their attacks against Western or Western-aligned entities.
Connection To Iran
Recently, it was revealed that among the escalating military collaboration between Iran and Russia during the Ukraine war, Moscow has been providing Tehran with advanced digital surveillance capabilities and cyber assistance.
While the victims of Anonymous Sudan may not seem directly linked solely to an Islamic or Pro-Russian agenda, the Cyberint research team’s analysis reveals an interesting finding. Upon closer examination of all the victims, it becomes evident that the attacks may serve the interests of both Russia and Iran separately, indicating potentially complex motivations behind their actions.
Despite Israel’s support for Ukraine during its war with Russia, the group’s massive attacks on Israeli victims during OpIsrael last April, and the ongoing attacks that continue to this day, do not appear to solely serve pro-Russian interests.
The scale of these attacks raises questions about their motives, hinting at a more complex agenda that could align with Iranian aims.
These considerations may shed light on Anonymous Sudan’s real agenda and the selection of their attack victims if the group is indeed based on a Iranian-Russian collaboration. It is also possible that the group aims to use its Islamic affiliation to promote closer cooperation between Russia and the Islamic world, with members originating coming from various geographical backgrounds.
Confusing actions and agenda
Although Anonymous Sudan claims to have a strong Islamic and Sudanese protective agenda for their attacks, their actions sometimes appear contradictory.
While some attacks seem directly related to victims who attack Muslim people or their beliefs, others appear unrelated. For instance, during the initial stages of their attacks, the majority of victims seemed to be involved in anti-Islamic activities, but later on, the targets became more diverse, including entities like PayPal and Reddit, which have no apparent connection to anti-Islamic activities. This has led to concerns that the group may be acting as hired mercenaries, utilizing their formidable capabilities to harm whoever pays them.
In addition, the group’s demand for ransom during some of their attacks caught Cyberint’s attention due to the irregular and seemingly random nature of the amounts they asked for. For instance, they asked for a ransom ranging from $3,500 to $3,000,000 from SAS (Figure 1,2) and only $50,000 for what they claimed was a leak of 30 million Microsoft accounts. Their explanation that the money would be used to help people in Sudan appears questionable, as it is uncommon for hacktivist groups to seek financial gain in the name of revenge.
Another point of suspicion is the highly organized and regular nature of Anonymous Sudan’s attacks, which occur more or less at the same times each day and use a consistent format. This level of precision seems unusual for a group of individuals operating based on their beliefs as a hacktivist organization.
Given the impressive DDoS abilities and doubts about Anonymous Sudan’s actual origin in Sudan, their true intentions remain uncertain. The diverse selection of victims raises questions about their motives and future actions, making discerning their clear objectives a challenge. The Cyberint research team’s assumption is that the group will likely launch blitz attacks on various countries of their choice, but they might also keep targeting states like the US and Israel repeatedly.
Over the course of 2023, Anonymous Sudan’s Telegram channel has experienced a meteoric rise in popularity, garnering more than 100,000 followers. This explosive growth is particularly striking when considering that just three months earlier, in April, their channel had only 13,000 subscribers. Such an exponential surge points to their increasing influence and appeal to a wider audience, and it is evident that their presence is making waves in the cyber community.
Anonymous Sudan operates two official Telegram channels. One, “Anonymous Sudan”, serves as their very active announcement channel, exclusively used by the group to share any new information about their activities. The second, called “AnonymousSudan Chat,” serves as a community space where followers can comment, make requests, and engage with the group. Additionally, they operate a Telegram bot that allows individuals to interact with the group on a personal channel.
Anonymous Sudan is actively engaged with their audience, reading and responding to comments and discussions about their actions. Notably, they even involve their followers and supporters in the selection of their targets, creating a sense of community and belonging among their rapidly growing fan base.
Craving Publicity and Public Recognition
One of the group’s prominent traits is a fondness for attention. They are anything but discreet and actively pursue publicity, enjoying the recognition they receive from the public. Their Telegram channel serves as a focal point for sharing articles and reports about them, often accompanied by their own comments on what is written. Moreover, they highlight their accomplishments on various other channels to reach a wider audience.
Additionally, members of Anonymous Sudan frequently agree to be interviewed, using these opportunities to spread their agenda as widely as possible or, at the very least, attempt to convince others of their dedication to this cause.
Anonymous Sudan shows a remarkable awareness of world events, especially when it comes to their attacks on Israel. For example, in April 2023, they quickly responded to Hamas launching attacks on Israel by launching their own offensive actions within minutes. This shows how alert and connected they are to unfolding events, making them a formidable presence in the digital world.
The group has a tendency to disclose their intentions on Telegram before carrying out attacks on their victims, as observed in most cases. This pre-attack disclosure on Telegram serves as a means to communicate their motives and possibly attract attention and support from like-minded individuals or groups.
The DDoS attacks carried out by Anonymous Sudan are a serious threat and have the potential to disrupt essential services such as government operations, health facilities, and airport services. The group utilizes a combination of Web DDoS attacks, UDP floods, and SYN floods originating from tens of thousands of unique source IP addresses, enabling them to generate up to 600Gbps of UDP traffic and several million RPS of HTTPS request floods.
To orchestrate these attacks, Anonymous Sudan employs public cloud server infrastructure to generate traffic and attack floods while utilizing free and open proxy infrastructures to conceal and randomize the attack sources. Their DDoS attacks primarily target the application layer through HTTP(S) flooding, using randomized request headers and arguments, suggesting a coordinated effort among traffic sources.
Evidence indicates that the group employs paid proxies to obscure their identity further, indicating significant funding and resources to sustain their DDoS operations. Since January 2023, Anonymous Sudan has likely spent tens of thousands of dollars to maintain their DDoS capabilities, a substantial amount for an ideologically motivated group and particularly suspicious for a group claiming to originate from Sudan.
Overall, Anonymous Sudan’s well-funded and coordinated DDoS operations pose a serious and ongoing threat, as their attacks have previously demonstrated severe consequences and are likely to persist in the future.
The Cyberint research team has closely monitored the activities of Anonymous Sudan from its inception until the present day. Initially perceived as a hacktivist group with limited impact on the cyber security world, it quickly proved itself as a powerful entity capable of harming even major companies.
This group poses a significant threat that should concern all companies and governments across various sectors, as they have shown a willingness to target anyone, seemingly without predictable patterns. As they continue to attract attention and followers, Anonymous Sudan may increasingly focus on additional high-profile targets alongside their attacks on low-hanging fruit and less secure victims.
The Cyberint research team also suspects that Anonymous Sudan might eventually merge with Killnet and exclusively work for, or with, them, as they have claimed to be part of the Killnet family, or possibly originating from it and are just seeking more attention or expanding cooperation with the Islamic world.
Anonymous Sudan’s associations with other threat actor groups, their collaborative efforts, and mutual support could potentially inspire other threat actors to join forces and leverage their combined capabilities to carry out more aggressive and successful attacks against shared targets. Even though it’s not uncommon for threat actor groups to collaborate, Anonymous Sudan’s approach stands out. They openly support and celebrate the achievements of other groups, making their cooperation more public and noticeable than other cases.
Cyberint and the Dark Web
Cyberint excels in accessing high-tier sources that remain elusive to most companies. Our unique ability to penetrate these hidden corners enables us to collect and analyze invaluable data. We enrich our automated collection with a human approach, through research and analysis of our military-grade expert team.
Find new sources in deep and dark web marketplaces, forums, and sites, even if those sources are volatile and difficult to track. Get deep analysis and reports, that allow you to understand a specific threat actor and group profiling, including the places of operation, targeted countries or verticals, TTPs and more. Get a demo and see what assets you have exposed on the deep & dark web.