A hacktivist group with the moniker Anonymous Sudan is a small Russian-funded misinformation operation with no connection to Sudan, according to researchers at CyberCX.
Founded early this year, Anonymous Sudan has claimed responsibility for a number of distributed denial of service (DDoS) attacks, purportedly carried out in response to the anti-Islamic views or actions of Western organizations.
But in an intelligence update published on Monday, Australian-based cybersecurity firm CyberCX said Anonymous Sudan was set up to create “a smokescreen for Russian interests” by spreading propaganda and disinformation, and tying up Western cyber defense resources.
As a member of the pro-Russia KillNet hacktivist collective, Anonymous Sudan followed the KillNet playbook: doing all it could to seek publicity, often exaggerating the success of its attacks to “create public chaos and uncertainty,” according to the CyberCX report A Bear in Wolf’s Clothing.
No honor among cyber criminals: Group is not what it seems
After analyzing a series of DDoS attacks against Australian organizations Anonymous Sudan claimed it was responsible for, CyberCX concluded the group had made extensive use of paid proxy servers and upstream cloud infrastructure.
“Given the likely use of paid infrastructure since January 2023, Anonymous Sudan has plausibly expended tens of thousands of dollars to sustain its DDoS operations. We assess that substantial use of paid infrastructure is highly suspect for any ideologically motivated group,” the report said.
“Anonymous Sudan’s likely infrastructure costs are particularly suspect for a group claiming to originate from Sudan, a nation with a well-below global estimated average household income of US $460 per year.”
The group consistently scheduled its attacks for certain times of the day and operated “with a level of coordination unusual for a collective of issue motivated hacktivists”.
“Most authentic grassroots hacktivist organizations observed by CyberCX plan activities in an at least semi-public way, discussing targeting and coordinating operations in forums and group chats. Anonymous Sudan declares specific targets as it attacks, implying it is a closely held operation.”
In an interview, CyberCX’s director of cyber intelligence and public policy, Katherine Mansted, told SC Media that Anonymous Sudan posed an unusual threat because it did not fit the mold of a typical threat actor.
“When we think about cybercrime, we’re looking to see monetization. When we’re thinking about nation states, we’re looking to see a clear command and control signal from a foreign government,” she said.
“This falls right in between because it’s neither criminal nor clearly nation state, and that leaves defenders caught short because they think they’re defending against a pretty low level, ideologically motivated actor. It also potentially catches governments in a blind spot because they don’t have a playbook for responding to this.”
Anonymous Sudan’s expensive Australian campaign
CyberCX investigated Anonymous Sudan’s involvement in a wider hacktivist campaign in March when the group claimed to have conducted DDoS attacks against at least 24 Australian organizations following “a provocative act against the feelings of Muslims”.
The campaign was initiated by a purportedly Pakistani hacktivist group in response to criticism over clothing bearing the Arabic text “God walks with me” being displayed at a fashion festival in Melbourne, Australia.
CyberCX’s investigation revealed that, unlike most grassroots hacktivist collectives, Anonymous Sudan could afford to use paid proxy services to conduct its attacks.
“[Anonymous Sudan’s attack] was some of the most high-intensity DDoS activity we have seen for a long time and for some of the organizations hit – we're talking mature, critical infrastructure providers – it was some of the most, if not the most, significant DDoS that their organization had experienced,” Mansted said.
Anonymous Sudan used proxies to distribute and conceal the origin of DDoS traffic during the attack and CyberCX assessed with “high confidence” the proxy infrastructure the group used was substantially composed of paid proxy services.
“The DDoS attacks focused on application layer HTTP(s) flooding. Request headers and arguments were randomised in distinct patterns across HTTP floods, suggesting coordination between traffic sources,” CyberCX said in its report.
“Anonymous Sudan’s use of proxies implies that DDoS traffic was generated from an upstream source. We assess that there is a real chance that Anonymous Sudan used paid cloud infrastructure for upstream traffic generation,” researchers wrote.
Fighting back via driving attacker costs up
CyberCX said the group’s proxy infrastructure would cost at least $2,700 per month. It said to defend against such attacks, organizations with critical public facing online systems needed to ensure their DDoS mitigation strategies could account for the use of paid proxy services and were suited to mitigating application-layer attacks.
Mansted said the group’s use of paid proxy services meant there was a direct cost when it launched its attacks, which presented a “rare opportunity” to its victim organizations. “We often talk about cybercrime being really hard to defeat because we can’t throw sand into the gears of their business model. This is one of those rare cases where defenders have that advantage because if they have good defenses they can drive cost directly back into this organization,” she said.
