In January 2023, a cybercriminal group identifying themselves as “Anonymous Sudan” emerged as hacktivists. Throughout their operations, including OpSweden and OpDenmark, they targeted specific countries with the motive to fight against individuals who showed disrespect towards the religion of Islam.

However, doubts have been raised regarding the authenticity of Anonymous Sudan as a genuine hacktivist group due to the contrasting operational methods of the hacker collective when compared to conventional hacktivist groups.

These speculations have stemmed from concerns about the significant expenses associated with their attacking infrastructure, the timing of their cyber attacks, and their alleged affiliation with Russia.

After launching nearly 24 DDoS attacks on Australian organizations, Anonymous Sudan is expected to launch more cyber attacks on the nation, according to researchers. The 24 DDoS attacks were launched between March and April 2023.

And more attacks are suspected in the following months.

Anonymous Sudan hacktivism or pro-Russian attacks?

Anonymous Sudan launched cyber attacks against universities, airports, and medical institutions in France in March 2023.

The hackers from the group attributed their cyber attacks to the perceived humiliation of Islam’s religious figures through the depiction of cartoons. Their actions included threatening and releasing data obtained from cyber attacks conducted on various nations, including those belonging to NATO.

Moreover, the hacktivist group launched the OpIsrael campaign in support of pro-Palestinian causes and as a way to show support for the Palestinians oppressed by Israeli troops. They have also claimed Distributed Denial of Service (DDoS) attacks on Microsoft, which the company confirmed affected its product Outlook.

One of the reasons behind the targeting of Microsoft was the meeting between the US Secretary of State, Antony Blinken, and Saudi Arabian officials, where discussions took place regarding the imposed sanctions on the Sudanese Armed Forces, among other factors.

OpAustralia and Anonymous Sudan hacktivism

Anonymous Sudan launched nearly 24 DDoS attacks between 24 March and 1 April on the aviation, healthcare, and education sectors. They called the campaign opAustralia, which was started on 17 March, targeting Australia.

Researchers suspect that the campaign was likely religiously motivated and has been conducted by a Pakistani hacktivist group.

Anonymous Sudan claimed to launch more attacks on Australia in retaliation to the clothing showcased at the Melbourne Fashion Festival, featuring the text ‘God walks with me’ written in Arabic.

Besides the cyber attacks by Anonymous Sudan, the incident had other hacktivist groups launch cyber attacks on nearly 80 Australian organizations, which may not have had anything to do with the fashion festival.

Anonymous Sudan’s hacktivism questioned by researchers

According to a blog by CyberCX on Anonymous Sudan’s authenticity, the following points were highlighted that questioned its true motives –

1. Time of the cyber attacks by Anonymous Sudan

The hackers mostly operate between UTC 22:00 and UTC 06:00. And, over 80% of its cyber attack claims were made between UTC 06:00 and 18:00. The timings align with several East African nations and most of Sudan and Eastern Europe including Moscow.

2. Cost of the paid infrastructure used by Anonymous Sudan for hacktivism

The proxies that Anonymous Sudan uses to hide its DDoS traffic from detection were likely via paid proxy services.

It did not reply as much on TOR for traffic dispersal with only 2% of its common infrastructure being composed of TOR exit nodes. Nearly 33% of the complete attack traffic volume was estimated to be from paid proxy networks.

For a nation that falls below the global average household income of US $460 per year, Anonymous Sudan claiming to be from Sudan and investing nearly AU $4000 per month makes it suspicious on the ground of its origin.

3. Anonymous Sudan hacktivism aligned with Russian motives

Researchers argued that the motive behind the expensive DDoS attacks for a comparatively smaller impact on portals may not amount to a larger goal of the hacktivist.

Moreover, the group targets Western countries, which remains consistent with Russian warfare strategies targeting those aligning with pro-Ukrainian nations, further solidifying the researchers’ claim.

4. Language used by Anonymous Sudan

Although the group claims to fight for religious reasons including defending the people of Sudan, the hackers started using the Arabic language only after their motives began raising questions.

Anonymous Sudan primarily utilizes Russian and English languages for their posts across various channels. Interestingly, they made their Arabic language post approximately a month after the establishment of these channels.

Researchers argue that the Anonymous Sudan hacktivism is instead a garb to increase the cost of cyber defense in Western countries and others.

They are a smaller group or just an individual who works for religiously motivated and financially motivated reasons.

They have also publicly shown their allegiance to the pro-Russian hackers of the Killnet group and have cross-posted on each other’s channels about their cyber attacks.

What researchers observed about the hacktivism of Anonymous Sudan

“Anonymous Sudan has no known overlap with the original members of the 2019 Anonymous Sudan operation, which was anti-Russia and pro-Ukraine,” researchers from CyberCX stated.

The report further stated that the well-known group Anonymous clarified that they are not aligned with Anonymous Sudan.

“CyberCX assesses that Anonymous Sudan is likely to be an individual or a small, coordinated group rather than a grassroots hacktivist organization,” the report added.

The operational methods of the hacktivist group were questioned as well, as they exhibited a level of coordination not commonly seen among issue-oriented hacktivists.

In contrast to other hacktivist groups, who engage in semi-public discussions online to determine their targets for assault, Anonymous Sudan operates differently. Instead, they publicly declare their next targets while simultaneously launching cyber attacks.

Connections of Anonymous Sudan with Russia

After Anonymous Sudan publicly showed its support to the pro-Russian Killnet group, there was little confusion left about where its affinities lie. They use each other’s Telegram channels which signifies the closeness of operations and trust between Anonymous Sudan and the Killnet group.

It was observed that with increased attacks on Ukraine in the hands of Russia ever since February 2022 led to the formation of several pro-Russia hacktivist personas. Some of the more active groups targeting Ukraine and its allies were found to be Killnet and Anonymous Russia.

“In June, Killnet-affiliated threat actors including Anonymous Sudan announced plans to launch non-DDoS attacks on Western financial institutions and the SWIFT network in conjunction with REvil,” according to the CyberCX report.

REvil, the Russia-based group, extorted money from its target, including the prominent data breach at Medibank. It is a coincidence that nearly when REvil’s darknet website went offline in the last few months, Anonymous Sudan gained traction for its activities. However, there has been no evidence to support claims of any connections between the two groups.

Russian intelligence and reports of cyber attacks

The CyberCX report maintained that the Russian intelligence was affiliated with pro-Russian hacktivist groups.

“We assess that it is highly likely that at least some members of the Killnet collective are linked to the Russian state,” the report further added. This brings a chance for Anonymous Sudan’s hackers to connect with Russia.

The cyber attack on a Canadian gas pipeline in April 2023 exposed sensitive US signals intelligence to pro-Russian hackers and a member of the Killnet group, Zarya. It was anticipated that an attack such as this would lead to an explosion.

Zarya was suspected to be on standby for instructions from the Federal Security Service (FSB) of the Russian Federation. The leaked briefing from the US classified data asserted that Zarya had controls to increase valve pressure, disable alarms, and start an emergency shutdown of the facility.

Addressing the authenticity of the claims of involvement of the FSB in the cyber attacks, a report read that the briefing showed signs of the hackers receiving instructions from someone presumed to be from the FSB.

The hackers claimed they had done enough damage to the Canadian, however, their intention was not to cause loss of life, only loss of income for Canadians,” according to a Zetter report.

It was concluded that Anonymous Sudan primarily targets Western organizations, specifically the government, media, and healthcare. Although the hackers from Anonymous Sudan claim that they are fighting for religious and Sudanese causes, they turn to seek monetary gains periodically.

Anonymous Sudan was formed three days before the Stockholm Quran burning incident, which led the group to cause cyber attacks in the region. It is suspected by researchers that Russian threat actors use hacktivists’ activities to strategically target European nations, among others.

They cause disinformation to polarize Western societies. Moreover, it was speculated that the Stockholm incident, which witnessed the burning of the Quran, was linked to a former contributor to the Kremlin-backed media outlet Russia Today.