Blog

Unmasking Anonymous Sudan: Timeline of DDoS Attacks, Affiliations, and Motivations

A running timeline of Anonymous Sudan’s DDoS attacks on countries, industries, companies, and governmental entities around the world, including Microsoft, Australia, Israel, and multiple US hospitals

Default Author Image
June 20, 2023

On October 16, the DOJ indicted two Sudanese nationals with operating and controlling Anonymous Sudan. The group shook the world last year, orchestrating over 35,000 Distributed Denial-of-Service (DDoS) attacks against US targets, in addition to selling their DDoS tools to other cybercriminals. Working closely with the Department of Justice as part of Operation PowerOFF, Flashpoint provided critical intelligence insights into the group’s tools, infrastructure, and tactics.

Here’s what you need to know about Anonymous Sudan:

Anonymous Sudan Makes its Presence Known

Anonymous Sudan has been active since January, and making consistent headlines around the world. Its attacks have to-date targeted Sweden, Netherlands, Denmark, Australia, France, Israel, Germany, UAE, the US, and Iran while affecting critical infrastructure and numerous global sectors including financial services, aviation, education, healthcare, software, and government entities. 

Microsoft announced that it had fallen victim to DDoS attacks by an adversary group the company has been tracking as “Storm-1359”—its threat actor taxonomy that likely translates to Anonymous Sudan, according to our intelligence. 

But numerous questions remain about Anonymous Sudan, the adversary group that has claimed credit for several recent high-profile DDoS attacks across the globe.

Apparent Connections to Killnet

Evidence relating to the provenance of Anonymous Sudan suggests an affiliation with pro-Russian hacktivist collective Killnet, which it confirmed in February 2023. However, the degree of that affiliation is still being evaluated. Evidence also suggests that Anonymous Sudan are likely state-sponsored Russian actors masquerading as Sudanese actors with Islamist motivations, as cover for their actions against Western (or Western-aligned) entities. 

Despite obfuscations on official Anonymous Sudan channels as to their identity and affiliations, the employment of social media or public facing accounts under the “hacktivist” banner is consistent with previous tactics, techniques, and procedures employed by Russian state-sponsored adversaries. Similar to Killnet, Anonymous Sudan has claimed disruptions to several high-profile victims.

Related Resource

Inside Killnet, the World’s Most Prominent Pro-Kremlin Hacktivist Collective

Guise of Islamist Ideologies

Since its inception, there has been speculation as to the origins, ideologies, and motivations of Anonymous Sudan; they have posted in English, Russian, and more recently Arabic, across their online channels. However, in spite of its name, it appears that the group has no actual connections to the country of Sudan (nor any connection to the previous Anonymous group operating in Sudan). 

This can most readily be seen in the case of Sweden, when Anonymous Sudan attacked numerous Scandinavian entities after Rasmus Paludan, a Danish-Swedish politician, organized an anti-Islam protest in front of the Turkish Embassy in Sweden during which he burned a copy of the Quran on January 22. 

Anonymous Sudan’s origins and motivations were further muddied by reports about a Russian state-sponsored journalist who allegedly orchestrated the Quran burning to stir up anti-Muslim sentiment in order to make Sweden’s NATO bid less likely to succeed in Turkey’s view. 

A Russian journalist, sponsored by the Kremlin, burned the Quran to create more anti-Muslim feelings in Scandinavia and make Sweden’s NATO bid less likely to succeed in Turkey’s view.

Anonymous Sudan TTPs: Details of Microsoft Attack

Microsoft said it had observed the threat group “launching several types of layer 7 DDoS attack traffic,” including:

  • HTTP(S) flood attack, which “aims to exhaust the system resources with a high load of SSL/TLS handshakes and HTTP(S) requests processing.”
  • Cache bypass, which “attempts to bypass the CDN layer and can result in overloading the origin servers.”
  • Slowloris, “where the client opens a connection to a web server, requests a resource (e.g., an image), and then fails to acknowledge the download (or accepts it slowly). This forces the web server to keep the connection open and the requested resource in memory.”

Timeline: Anonymous Sudan DDoS Attacks, Claims, and Developments

Where available, we’ve put together a comprehensive timeline of Anonymous Sudan claimed and confirmed attacks. For example, Anonymous Sudan has mentioned on official channels that they are targeting a given entity, and may claim responsibility for an attack without providing any evidence to support the claim. This was the case when Canada, the Netherlands, and Germany came into scope for Anonymous Sudan, as detailed below.

Here is a timeline of some of Anonymous Sudan’s recent DDoS attacks and claims:

  • January 27: Claims attacks on the Netherlands also in response to Paludan
  • February 22: Claims attacks on Denmark in response to Rasmus Paludan.
  • March 15 – 22: Anonymous Sudan targets France, attacking Air France.
  • March 24 – April 2: Attacks Australian companies, including healthcare, aviation, and education organizations, when a Melbourne fashion label featured the Arabic for “God” on garments.
  • April 26: On Israeli Independence Day, Anonymous Sudan claims to have conducted DDoS attacks on Israeli Prime Minister Benjamin Netanyahu’s website, making it inaccessible, and to have hacked Netanyahu’s Facebook account. Multiple reports also linked the group to attacks on the websites of the Haifa Port, Israel Ports Development, the National Insurance Institute, and the Mossad, Israel’s national intelligence agency.
  • April 29: Anonymous Sudan announces plan to attack German entities after they post of an alleged “kidnapping” that took place by German authorities against a child. Canada is also mentioned as a target due to a similar video of a Muslim man being arrested in front of his family. The extent of these attacks remain unclear. 
  • May 2: Anonymous Sudan claimed that they compromised and temporarily disarmed Israel’s Iron Dome, its missile defense system, although this remains unconfirmed by the Israeli government. The cyberattack reportedly allowed 16 rockets fired from Gaza to enter Israeli territory, which, according to Israeli Army Radio and the, gave the Iron Dome a success rate of between 71%, compared to its usual 90-95%. 
  • May 5: Anonymous Sudan shares screenshots of eight websites belonging to official United Arab Emirates (UAE) domains. Shortly thereafter, several Emirati banks were allegedly attacked.
  • May 24: Anonymous Sudan breaches the website and mobile app of Scandinavian Airlines (SAS), knocking them offline, affecting all flight activities and stranding passengers. This was the second round of attacks to impact Sweden.
  • June 5: Anonymous Sudan announces they will attack Microsoft, which eventually confirmed the attack on June 16. The high-profile attack caused outages and disruptions to multiple Microsoft products and services, although the software giant said it had “seen no evidence that customer data has been accessed or compromised.”
  • June 14: Anonymous Sudan posted on its official Telegram channel that Russian-language hackers announced a “massive attack” on European and US financial institutions within the next 48 hours. The group claimed it would attack the SWIFT payment system in collaboration with KillNet and the Russian cybercriminal group REvil to protest the West’s financial and military support of Ukraine.
  • June 16: Killnet posts on its Telegram channel a series of Western financial systems it allegedly began targeting, although each of them remain operational as of this publishing.
  • June 19: Anonymous Sudan announces it has attacked the European Investment Bank, which confirmed the DDoS attack. 
  • July 2: Anonymous Sudan claimed to have stolen more than 30 million credentials from Microsoft accounts, notably its Azure and Outlook products. Within a day, Microsoft denied the validity of these credentials after Anonymous Sudan posted a sample of over 50 usernames and passwords for the company to cross-reference. However, Microsoft did admit to being targeted by a series of layer 7 DDoS attacks.
  • October 16: A federal grand jury indictment unsealed charged two Sudanese nationals with operating and controlling Anonymous Sudan.

Flashpoint is closely tracking this situation and will update this blog to reflect significant changes.

Prevent and Respond to a Ransomware Attack with Flashpoint

Ransomware response is equally as important as prevention. In the event that an organization is impacted by ransomware, having a well-practiced incident response plan can greatly minimize damages. To learn more about how Flashpoint empowers security teams to prevent and respond to ransomware attacks, contact us, or sign up for a free trial.

Begin your free trial today.