CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Anonymous Sudan: Religious Hacktivists or Russian Front Group?

The Trustwave SpiderLabs research team has been tracking a new threat group calling itself Anonymous Sudan, which has carried out a series of Distributed Denial of Service (DDoS) attacks against Swedish, Dutch, Australian, and German organizations purportedly in retaliation for anti-Muslim activity that had taken place in those countries.

However, a deeper dive into the group indicates a very strong possibility that Anonymous Sudan is a sub-group of the Pro-Russian threat actor group Killnet, a group with which Anonymous Sudan has publicly aligned itself.

SpiderLabs cannot confirm that the group is based in Sudan, nor if any of its members are from that nation, but based on the evidence available, it seems quite likely that Anonymous Sudan is a Killnet project, possibly including some Eastern European members.

Most of the information available on Anonymous Sudan comes from the group’s Telegram channel, which was created on January 18, 2023, just days before it launched its first attack. Here the group claimed it conducted the attacks are conducted in response to anti-Muslim activities that have taken place in the target nations and in support of Russian hackers who, in turn, support Sudan.

Anonymous Sudan concentrates on specific targets for short periods, generally a day, but in some cases for extended periods of time.

19775_image002

Figure 1. Message showing Anonymous Sudan’s support of Russian hackers

It is important to note that the larger Anonymous Operations has disavowed any connection with Anonymous Sudan on that organization’s Telegram channel.

Anonymous Operations is the Telegram channel for the broader Anonymous group. According to the group’s website: Anonymous is a collective of online and offline activists who engage in direct action, hacktivism, and other subversive digital and physical actions. The group was founded on the imageboard 4chan in 2003. Anonymous has no formal leadership or membership, instead operating as a decentralized network of individuals with similar interests.

19776_image004

Figure 2. Anonymous Operations denies affiliation with Anonymous Sudan.

Is Anonymous Sudan Really Killnet?

There are numerous clues left behind by Anonymous Sudan pointing toward the group being associated in some manner with Killnet. The primary indicator is that Anonymous Sudan’s preferred attack vector is DDoS attacks, the attack type that Killnet has conducted. Other circumstantial evidence pointing toward a Russian connection is that the Anonymous Sudan Telegram posts are mostly in Russian (with some in English), and the targets are all nations that support Ukraine in its fight against Russia.

However, Killnet seemed to confirm its connection to Anonymous Sudan when the collective posted screenshots from Anonymous Sudan on Killnet’s Telegram channel, as shown in Figures 9, 10, and 11.

One of Killnet’s primary missions is supporting Russia in conjunction with the invasion of Ukraine and the group has in fact, attacked Ukraine’s supporters.

At this time, SpiderLabs has found only minimal evidence that Anonymous Sudan is financially motivated, and that comes from a few advertisements suggesting that Anonymous Sudan was attempting to sell data stolen from Air France.

The Threat Posed by Anonymous Sudan

First Attacks targeting Sweden, Netherlands, and France

Whether Anonymous Sudan is a front for or just acting in conjunction with Killnet may be moot. SpiderLabs believes the DDoS attacks have the potential to be quite serious.

Anonymous Sudan’s attacks can disrupt government operations, health facilities, and airport services, which could lead to serious consequences. The group has taken credit for a number of attacks and has posted threats against a wide range of targets.

The following is a breakdown of the attacks claimed by Anonymous Sudan.

The group’s first activity targeted Swedish governmental and business resources as a response to the act of burning the Quran in Stockholm.  Sweden has given hundreds of millions of dollars in military aid to Ukraine, including advanced artillery and air defense weapons.

19777_image006

Figure 3. Jan 18, 2023, Attacks on Sweden start 5 days after the creation of the group.

19778_image008

Figure 4. Jan 23, 2023. Anonymous Sudan taking responsibilities on attacking Swedish websites.  

The next day, the group concentrated on attacks against the Dutch government infrastructure supposedly in retaliation to the burning of the Quran in Enschede, a city in the Netherlands. The Netherlands government has also donated to Ukraine.

19779_image010

Figure 5. Jan 24, 2023. The gang targeting the Dutch government’s websites. 

Anonymous Sudan often provides check-host.net links to prove that the DDoS attacks were successful.

France is also on Anonymous Sudan’s radar with the group promising to strike that nation for anti-Islamic activity. Like the other targets of attack, France has been a major supplier of financial aid and military equipment to Ukraine.

19780_image012

Figure 6. March 14, 2023. Anonymous Sudan declared attacks against France. 

In rare cases, the group is involved in other than DDoS attacks. For example, Anonymous Sudan is trying to sell information that was obtained from the Air France website. 

19781_image013

Figure 7. March 19, 2023. Anonymous Sudan purports to access Air France data. 

19782_image014

Figure 8. March 19, 2023. Anonymous Sudan offers the French airline data for sale.  

As proof of the Air France attack, Anonymous Sudan published data containing emails and passwords. While reviewing the emails, we found that some of them were mentioned in earlier leaks.   

First Attacks with Killnet

The next attack was the first of several to officially connect Anonymous Sudan with Killnet. It took place in late January 2023, with the Telegram post saying Anonymous Sudan assisted Killnet in its attack against the Federal Intelligence Service of Germany (Bundesnachrichtendienst). Germany has been an ardent supporter of Ukraine.

19783_image016

Figure 9. Jan 25, 2023. Anonymous Sudan claims to attack Federal Intelligence Service of Germany. 

The next attack performed in coordination with Killnet targeted PayPal as you can see in Figure 10.

19784_image018

Figure 10. Feb 3, 2023. Killnet with other gangs, including Anonymous Sudan, claims to DDoS Paypal’s website.

In the following posts Anonymous Sudan claimed a successful DDoS attack on the cybersecurity firm Radware’s website. Radware is an Israeli security vendor which provides multiple services, including DDoS protection. Israel has also offered aid to Ukraine.

19785_image020

Figure 11. Feb 7, 2023. Killnet and Anonymous Sudan, claims to take down the website of Israeli security vendor Radware.

Attacks Targeting Australia

One of the group’s most recent threats is leveled against Australia, some of which the group claims will involve Killnet. On March 24, it posted threats against a wide variety of Australian organizations, including airports, universities, and healthcare facilities. Australia is also supporting Ukraine.

19786_image022

Figure 12. March 24, 2023. Anonymous Sudan claims to attack Australian hospitals.

19787_image024

Figure 13. March 24, 2023. Anonymous Sudan claims to attack Australian Airports.

Additional attacks are planned by Anonymous Sudan for the week of March 27th and are also coordinated with Killnet. In the following post they provide a timeline for these attacks:

19788_image026

Figure 14. Anonymous Sudan threatens to attack Australian universities.

19789_image027

Figure 15. March 25, 2023. Anonymous Sudan provides a timeline for the attacks against Australian Targets.

Anonymous Sudan recently claimed to target Denmark after Rasmus Paludan, a political activist who holds Danish and Swedish citizenship, burned the Quran in Denmark.

19790_image029

Figure 16. Anonymous Sudan adds Denmark to its targets.

Conclusion

Anonymous Sudan has been extremely active taking credit for attacks via its Telegram channel, but details concerning the true reasoning behind its efforts remain murky. It has publicly aligned itself with the Russian group Killnet, but for reasons only its operators know, prefers to use the story of defending Islam as the reason behind its attacks.

A new activity for Anonymous Sudan is the stealing and selling of data as evidenced in the Air France attack. While this might appear to be an evolution of the group’s attack types, DDoS attacks currently remain the norm. Only time will tell whether Anonymous Sudan will continue with their customary style of attack or if the group will incorporate more nefarious means of attack.

Latest SpiderLabs Blogs

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious...

Read More