Who is Anonymous Sudan?
Anonymous Sudan is a hacker group, apparently based in Sudan, which claims to engage in cyber activism and hacking activities. The group is believed to be part of the larger Anonymous network, which is an international group of hacktivists and activists that execute disruptive attacks throughout the world and are known for their #OP activities (#OPIsrael, #OPAustralia, etc.). The #OP activities are usually related to a specific cause and date in which the group executes their attacks.
This group is known for conducting various types of cyberattacks, including distributed denial of service (DDoS) and defacement attacks, and for claiming responsibility for these attacks through public statements and online posts mainly on Telegram and Twitter. The motivations and goals of Anonymous Sudan are not very clear, but their actions often appear to be aimed at raising awareness about specific political and social issues. Since the Russian-Ukraine war began, this group has claimed to support the Russian cause; therefore, it often attacks Ukrainian targets.
From March 16 to March 23, 2023, Anonymous Sudan and Killnet—which are believed to be the same group—claimed responsibility for several unverified DDoS and website defacement attacks. Killnet’s recent targets for cyberattacks included the Latvian governmental Project “School 2030,” NASA, and a Precision Rifle Series-affiliated club located in Lviv, Ukraine called Poligun Team. Anonymous Sudan, meanwhile, claimed responsibility for numerous DDoS attacks in France that targeted hospitals, universities, airports, and public organizations including the French Police, the Ministry of Justice, and the Ministry of the Interior.
Historically, Anonymous Sudan cites geopolitical events that it perceives as anti-Muslim as the catalyst for its DDoS attacks. Anonymous Sudan allegedly began targeting Danish entities on February 22, 2023, and continued doing so throughout March 2023. Anonymous Sudan began targeting French entities in mid-March 2023 and has cited “the offensive caricature of the Prophet Muhammad [in France]” as the catalyst for its DDoS attacks. Many pro-Russian hacktivist groups are ego-driven and have historically publicized both verified and unverified Western media coverage of its alleged attacks.
There are claims in recent months that Anonymous Sudan is actually a Russian group. At this point, we have no hard evidence that can connect directly between the group to Russian official entities as is the case with other Russian attack groups we know such as APT28 and APT29.
CYE’s CTI group revealed the following TTPs and IOCs while researching Anonymous Sudan:
TTPs:
Defacement (T1491.001 – internal defacement, T1491.002 – external defacement)
Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.
Network Denial of Service (T1498.001 – Direct Network Flood, T1498.002 – Reflection Amplification)
Network Denial of Service (DoS) attacks are used by adversaries to block or degrade the availability of targeted resources. Network DoS can be performed by exhausting the network bandwidth services rely on. Websites, email services, DNS, and web-based applications are examples of resources. Adversaries have been observed conducting network DoS attacks for political purposes and to support other malicious activities, including distraction hacktivism, and extortion.
Network DoS occurs when the bandwidth capacity of the network connection to a system is exhausted due to malicious traffic directed at the resource or to the network connections and network devices it relies upon. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).
To perform Network DoS attacks, several aspects apply to multiple methods, including IP address spoofing, and botnets.
It is possible for adversaries to use the original IP address of an attacking system or spoof it to make it more difficult to trace the attack traffic back to the attacker or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.
IOCs:
101.167.152.76
101.167.152.90
109.235.139.13
213.61.253.152
213.61.253.250
213.61.254.11
213.61.254.36
217.110.80.14
Recommendations
To help prevent being attacked by the Anonymous Sudan group, the following is recommended:
General
Have a continuous information feed to stay up to date with the latest trends and threats in the cyber warfare world.
DDoS
- If possible, block all the known IOCs of the group.
- Verify your Anti-DDoS configuration. Make sure your critical sites are under protection.
- If you do not have an anti-DDoS appliance, consider asking your ISP for anti-DDoS solutions. Alternatively, some security vendors offer scrubbing services; however, it requires configuration on your part.
- It is recommended to have a secondary ISP line sufficient enough to support your traffic as a redundancy option.
- Have your NOC (network operations center) monitor your ISP lines for abnormal traffic.
Websites
- Make sure your sites’ infrastructure is up to date with the latest patches. If you’re using WordPress, make sure plugins and themes are updated as well.
- Scan your site for vulnerabilities to verify no patches are missing.
- Make sure your WAF service/appliance is updated with the latest signatures. If possible, enable geolocation and restrict traffic to valid locations.
- Verify your sites’ backup. If need be, back up your site ASAP and keep it in a secure location.
- Monitor your sites for suspicious behavior and instruct your analysts to be on high alert.
- If possible, take a proactive approach and have your websites evaluated from a security standpoint. Rectify critical gaps and implement quick changes.
Want to learn more about how you can protect your organization from cyberattacks? Contact us today.