Anonymous Sudan's questionable provenance.
By Jason Cole, CyberWire staff writer.
Jun 20, 2023

Complex, well-resourced, and well-organized, Anonymous Sudan looks like a front group for an intelligence service.

Anonymous Sudan's questionable provenance.

Researchers are moved to conclude that Anonymous Sudan is a Russian-run operation, and not the Islamist patriotic hacktivist collective it claims to be,

Is Anonymous Sudan a Russian front group, or a grassroots religious hacktivist group?

Researchers at CyberCX have released an intelligence update on Anonymous Sudan after that threat group attacked Australian government organizations. The researchers point out that they assess, with high confidence, that Anonymous Sudan is unlikely to be the simple religious hacktivist group it purports to be, “and that Anonymous Sudan is unlikely to be geographically linked to Sudan.” CyberCX also assesses that the threat group uses a substantial paid proxy infrastructure across various countries to conduct its attacks. “Traffic was highly dispersed, with the common infrastructure across attacks spanning 1720 Autonomous Systems (AS) over 132 countries. Indonesia was the most represented country of origin, followed by Malaysia and the United States,” the researchers explained. That infrastructure probably costs about $2,700 per month. This is an estimate. As CyberCX points out, given the inherently closed nature of the proxy services, “it is difficult to estimate Anonymous Sudan’s likely expenditure on infrastructure.” It’s clear in any case that this supposed backwater organization has suspiciously significant funding and a complex operational style.

The group’s well-organized attacks are not typical of a grassroots organization of religiously motivated hacktivists. “Most authentic grassroots hacktivist organizations observed by CyberCX plan activities in an at least semi-public way, discussing targeting and coordinating operations in forums and group chats. Anonymous Sudan declares specific targets as it attacks, implying it is a closely held operation.” While it’s difficult to determine the group’s geographical location, the timezone during which they’re most active is the UTC-3 region, and that includes both Sudan and Eastern Europe. Anonymous Sudan is actively working with the Russian cyber auxiliary KillNet and its group of Russia-aligned accounts. 

Anonymous Sudan primarily writes in English and Russian. 

Researchers at Trustwave write “There are numerous clues left behind by Anonymous Sudan pointing toward the group being associated in some manner with Killnet. The primary indicator is that Anonymous Sudan’s preferred attack vector is DDoS attacks, the attack type that Killnet has conducted. Other circumstantial evidence pointing toward a Russian connection is that the Anonymous Sudan Telegram posts are mostly in Russian (with some in English), and the targets are all nations that support Ukraine in its fight against Russia.” 

The group also occasionally posts in Arabic, but almost every post is accompanied by an English or Russian translation. Anonymous Sudan denies being Russian and responded to the recent allegation in an English post on its telegram page: “You know what's funny about that? Everyone thinks that we are Russians, and this is something very wrong, and the reason is that all the countries we attack are hostile to Russia, but at the same time they are hostile to Islam or Sudan. So is this proof that we are Russians? I don't know how people think!!” (Shortly after the post, Anonymous Sudan requested donations in the form of crypto currency. We still think they’re a Russian front. Their Islamism is a false flag.)

Attacks on US companies. 

Anonymous Sudan has been targeting US companies for a little over two weeks now after comments regarding sanctions being placed on Sudan’s government by US Secretary of State Anthony Blinken. That's a convenient pretext for action in the Russian interest. The threat group has almost exclusively focused on Microsoft products, and has been posting regular updates on its Telegram page calling for a one million dollar ransom to stop the attacks. In a blog post regarding the attacks on June 16th Microsoft wrote “Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability. Microsoft promptly opened an investigation and subsequently began tracking ongoing DDoS [distributed denial of service] activity by the threat actor that Microsoft tracks as Storm-1359.” Microsoft adds “We have seen no evidence that customer data has been accessed or compromised.”