A hacking group responsible for a series of outages at Microsoft earlier this month had spent the previous months attacking targets in Israel, Sweden and other nations, part of an expanding campaign that some cybersecurity researchers have tied to Russia.
“Anonymous Sudan” describes itself as a hacktivist group and says it’s waging cyber strikes out of Africa on behalf of oppressed Muslims worldwide. The group claimed its 5 June distributed denial of service, or DDoS, attacks against Microsoft were retaliation for US policy regarding Sudan’s military conflict. The US is currently trying to broker a peace deal between warring factions.
Some cybersecurity experts have concluded that the group actually operates from Russia and hacks for an entirely different purpose: to advance Moscow’s objectives. “Anonymous Sudan is a Russian information operation that aims to use its Islamic credentials to be an advocate for closer cooperation between Russia and the Islamic world – always claiming that Russia is the Muslims’ friend,” said Mattias Wåhlén, a threat intelligence expert with Stockholm-based Truesec. “This makes them a useful proxy.”
Wåhlén led Truesec’s investigation of Anonymous Sudan and the firm’s February report identifying the group as a front for Russia, an assessment that was corroborated by other security experts who studied the group and its activities. In its few short months in existence, Anonymous Sudan has repeatedly used cyberattacks as a bludgeon to drive home a singular narrative: that the West is hostile to Islam, while Moscow is a friend to the Muslim world, he said.
A representative for Anonymous Sudan denied that the group was acting on Russia’s behalf but said their interests were aligned. Anonymous Sudan goes after “everything that is hostile to Islam and all countries that are hostile to Islam are hostile to Russia”, the representative wrote, as part of an online conversation.
Last weekend, as an extraordinary mutiny in Russia by the mercenary leader of the Wagner Group challenged Russian President Vladimir Putin, Anonymous Sudan took to Telegram in support of the Kremlin. “The Russian army must defeat this rebellion,” the group wrote.
A Microsoft representative declined to comment, beyond confirming Anonymous Sudan’s involvement, and referred to the company’s 16 June blog post on the incident. A spokesman for the Russian Embassy in Washington didn’t respond to a request for comment.
In its blog post, Microsoft stated that in early June it had identified “surges in traffic against some services that temporarily impacted availability”. DDoS attacks typically direct junk internet traffic at a target, such as a website or server, temporarily degrading service or knocking it offline.
The cyber barrage directed at Microsoft caused temporary outages for some of the company’s most popular services, including Outlook, Teams and OneDrive, and they dovetailed with what security experts noted were increased hostilities in Russia’s war in Ukraine. That tracks with what the experts said was Anonymous Sudan’s pattern of timing its cyberattacks to geopolitical flare-ups in countries aligned against Russia to gain greater visibility for its anti-Western messages.
Microsoft said the group “appears to be focused on disruption and publicity”. Sandra Barouta Elvin, Microsoft’s national security officer for Sweden, where Anonymous Sudan’s incidents began earlier this year, wrote in a post on her personal LinkedIn page on 19 June that the two weeks prior had been “extra intense” as cyberattacks ratcheted up in Ukraine and against Microsoft’s platforms, straining the company’s ability to discern between legitimate and malicious traffic to some of its most popular services.
“It is a cat-and-mouse game in constantly identifying new patterns and new infrastructure used for these types of attacks,” she said.
One reason why Anonymous Sudan’s campaigns are effective is they target “layer 7”, or the application layer, of victims’ internet infrastructure — that’s where web servers receive input from users and, in a computationally draining process, serve content in response, according to Charl van der Walt, head of cybersecurity research for Orange Cyberdefense, part of the French telecommunications group Orange.
When executed skilfully, these DDoS events cause web servers to be unable to tell the difference between real and fake requests, he said. The attacks are more work for hackers to set up, but they have a potentially bigger payoff than ordinary denial-of-service assaults, which are easier to block, he said.
Anonymous Sudan has the “technical knowledge on how to execute such a non-trivial attack, and they seem to know how to be effective against one of the biggest cloud infrastructure giants such as Microsoft”, Van der Walt said. “From a technical point of view, the attackers are good or have access to resources that they can direct to act on their behalf. This puts them in a league above your average hacker collective.”
Anonymous Sudan emerged in February with a campaign against Sweden. The digital onslaught disrupted online programming at Sweden’s national public broadcaster and knocked out the websites of the airline SAS, state-owned power company Vattenfall and defence firm Saab.
The group said the strikes were in response to the burning of a Koran in front of the Turkish embassy in Stockholm earlier this year. But some researchers believe their motivation was to amplify tensions with Sweden’s Muslim minority and pressure Turkey to hold firm in rejecting Sweden’s bid to join the Nato military alliance.
From a technical point of view, the attackers are good or have access to resources that they can direct to act on their behalf
With Sweden’s Nato application stalled, Anonymous Sudan has turned its attention to Israel.
On 4 April, Anonymous Sudan announced it was attacking the Israeli cybersecurity firm Check Point Software Technologies, and the next day vowed to “greatly intensify” its strikes overall against Israel. The group stated that it was attacking in support of Palestinians after clashes between police and worshippers at the al-Aqsa mosque in Jerusalem. The attacks continued as news reports emerged that Israel, which has officially been neutral in the Ukraine war, had shipped advanced radar and other military equipment to Ukraine.
Anonymous Sudan launched hundreds of attacks over a period of six weeks that targeted websites used by news organisations, government and military agencies, universities, banks, telecoms providers, technology companies, and warning systems that issue electronic rocket alerts to Israeli citizens, according to Gil Messing, Check Point’s chief of staff. Israel has regularly faced waves of cyber strikes from self-professed groups of hacktivists. But Anonymous Sudan’s attacks stand out – and have proven to be more disruptive – because they are a lot more powerful than anything that has come before, Messing said.
In one incident in Israel, for example, the group deployed a denial-of-service attack that flooded a website with 35 million requests per second, knocking it offline for a half an hour, Messing said. The average denial-of-service attack usually reaches only about 240 000 requests per second, according to the cybersecurity firm Imperva.
“Multiply the forces they are using for DDoS by at least 10, sometimes more, than the usual DDoS you would see by other cyber groups,” Messing said. “The tools are not extremely sophisticated or expensive. But they are not very widely used.”
Wave of strikes
The massive wave of strikes launched by Anonymous Sudan against Israel have meant that, during the first quarter of this year, the nation faced more denial-of-service attacks than any other country, according to Cloudflare, a cybersecurity firm.
Anonymous Sudan has vowed to continue. It recently teamed with two well-known hacking groups: Killnet, which has waged DDoS attacks aligned with Russian interests, and the Russia-linked ransomware group REvil. Together, they promised major cyberattacks against European banks in response to ongoing support for Ukraine. One victim that’s already emerged is the European Investment Bank, the European Union’s member-owned bank, whose website was disrupted on 19 June.
Barouta Elvin, the Microsoft executive in Sweden, said one lesson from the cyber intrusions in recent weeks by the Russia-aligned groups is that as the war in Ukraine heats up, so, too, will the cyberattacks against that country’s allies.
“Anyone who supports Ukraine is under fire, and European banks have been singled out as targets in recent days,” Barouta Elvin wrote in her post. “In other words, there is a great risk that it will not be the last item … on this threat.” — Jordan Robertson and Ryan Gallagher, (c) 2023 Bloomberg LP