Anonymous Sudan
July 5, 2023
Topics
- DDoS
Introduction
Over the course of the past year, many industries have fallen victim to numerous cyber-attacks, ranging in form from phishing campaigns to ransomware attacks. In June of 2023, Microsoft was one of the many companies that was targeted by cybercriminals. The attack caused various components of their Office suite to be inaccessible for a period. Recently a group known as “Anonymous Sudan” has stepped up and claimed responsibility for the attack against the American technology corporation.
Background
The group known as “Anonymous Sudan” originated as a Russian-speaking Telegram channel in early January of 2023. They attempted to gain popularity within the cyberthreat landscape using their name which makes the group appear to be related to another cybercrime group with the name of “Anonymous”. However, members of Anonymous have tried to distance themselves from this new organization implying that the two groups are not related to one another.
The group initially targeted countries and organizations which went against or desecrated the values of the Quran. This led many people to believe that the group is a collective of hacktivists from a primarily Muslim country. Recently, researchers have concluded that the group is not tied to the country of Sudan and may be connected to Russia. There were several key factors that led researchers to this conclusion; the first being that their primary target is the West and Israel and the second being that Anonymous Sudan communicated primarily in Russian, until researchers at Truesec investigated the group and found it strange that a group claiming to be from Sudan mainly speaks Russian. Lastly, in late February of this year the group joined the Russian cybercrime syndicate known as Killnet.
Tactics
Throughout their attacks this past year, Anonymous Sudan has only been seen utilizing DDoS to disrupt the workflow of their targets and wreak havoc upon them. In particular, the group employs attacks which target layer 4 of the OSI model, otherwise known as the transport layer. Anonymous Sudan uses what is known as a SYN flood attack to overwhelm a victim’s machines or servers with incomplete requests.
A SYN flood attack occurs when an attacker rapidly sends multiple connection requests to a target server or servers but never finalizes the connection. This causes the target machines to spend a lot of resources and time waiting for uncompleted connections. If there are enough of these unopened connections, it can cause the system to slow down and become unresponsive to other legitimate traffic. In the normal flow of traffic, the client would send a “SYN” packet to the server. The server would respond to the client with a “SYN, ACK” packet. And lastly the client would respond back to the server with an “ACK” packet. In an attack the final “ACK” packet is never sent to finalize the connection.
Something that is strange about the group is their utilization of an HTTP-based DDoS attack. Although HTTP-based DDoS attacks have been shown to be more effective they are also much more expensive to commence. This has led many researchers to believe that besides internal resources and maybe crowdfunding, the group would need to acquire funds elsewhere. However, another way in which the group can carry out these attacks is through the dark web. In the dark web there are also many third-party services for hire which would be able to perform these large-scale attacks.
Recent Attacks
Over the course of 2023, Anonymous Sudan has launched multiple attacks against entities around the world. In June, the group targeted multiple US businesses following a misinterpretation of a comment made by the US Secretary of State Anthony J. Blinken. On a recent visit to Saudi Arabia, Blinken discussed the conflict happening within Sudan where rival military factions are competing to take control of the capital. Blinken commented, “looking at steps we can take to make clear our views on any leaders who are trying to move Sudan in the wrong direction.” The cybercrime group took this as a sign that the US would potentially invade the African country. The organizations that were affected by the group’s latest round of DDoS attacks were Microsoft, Lyft, Lovelace Health Systems, Hudson Regional Hospital, Exeter Hospital, and UPS.
Conclusion
Ultimately, Anonymous Sudan poses a major threat to the safety of organizations not only in the US but around the world. Although they claim to be religiously motivated by protecting the laws of Islam and stopping Western Imperialism, it is not yet clear if these are their true motives. Their shared views with Russia have caused many to speculate that there is some kind of connection between the hacktivist group known as Anonymous Sudan and the Russian state. As the group continues to evolve, they will undoubtedly begin to move past DDoS campaigns and may inevitably move to much more dangerous ransomware attacks. As threats continue to evolve it is important to stay vigilant and, on the lookout as new threats emerge.
