CyberCX Hack Report: Insights from a year of offensive security testing

A bear in wolf’s clothing: Insights into the infrastructure used by Anonymous Sudan to attack Australian organisations

Intelligence Update

security map

Published by CyberCX Intelligence on 19 June

In March and April 2023, a threat actor calling itself Anonymous Sudan claimed to have conducted at least 24 distributed denial of service (DDoS) attacks on Australian organisations in the aviation, healthcare and education sectors. CyberCX Intelligence observed and investigated several of these attacks. Our findings indicate that Anonymous Sudan is unlikely to be an authentic hacktivist actor, as it claims, and instead may be affiliated with the Russian state.


 

Key Points

 


 

BACKGROUND

Anonymous Sudan 

Origins and identity

 

Operations

 

Figure 1 – Anonymous Sudan’s pattern of life (UTC) by number of publicly claimed DDoS attacks per hour.

 

The pro-Russian ‘hacktivist’ threat actor ecosystem

 

Figure 2– Anonymous Sudan’s first show of support for Killnet on 25 January (left) and announcement of joining Killnet on 20 February (right), both translated from Russian.

 

 

Figure 3 – Anonymous Sudan’s relationships with other Telegram personas by channel forwards and tags.

 

 

Russian intelligence’s links to ‘hacktivist’ personas

 

Hacktivism as a smokescreen for Russian interests

 

Figure 4 – Select targets of Anonymous Sudan (excluding Australia).

 

 

Attacks on Australian organisations

 

Figure 5 – Anonymous Sudan’s initial threat to target Australia, posted to its Telegram channel on 24 March.

 

Attack infrastructure

 

Figure 6 – Anonymous Sudan DDoS traffic sources by country of origin.

 

 

Figure 7 – Anonymous Sudan DDoS traffic sources by connection to known proxy networks.

Note that IP addresses may be shared between multiple proxy providers and inclusion does not necessarily imply service abuse.

 

 

Infrastructure costs

 

Anonymous Sudan: Where next?

 

Figure 8 – Anonymous Sudan’s activity over time by Telegram posts per day.

 

Figure 9 – Anonymous Sudan’s audience reaction over time by reactions to Telegram posts.

 

 

 


 

[1] https://files.truesec.com/hubfs/Reports/Anonymous%20Sudan%20-%20Publish%201.2%20-%20a%20Truesec%20Report.pdf

[2] As above.

[3] https://go.recordedfuture.com/hubfs/reports/cta-2023-0223.pdf

[4] https://therecord.media/russia-hacktivist-threat-to-canadian-pipelines-a-call-to-action

[5] https://zetter.substack.com/p/leaked-pentagon-document-claims-russian

[6] https://cert.gov.ua/article/4501891

[7] https://www.mandiant.com/resources/blog/gru-rise-telegram-minions

[8] See also https://go.recordedfuture.com/hubfs/reports/cta-2023-0223.pdf

[9] https://www.theguardian.com/world/2023/jan/27/burning-of-quran-in-stockholm-funded-by-journalist-with-kremlin-ties-sweden-nato-russia

[10] https://files.truesec.com/hubfs/Reports/Anonymous%20Sudan%20-%20Publish%201.2%20-%20a%20Truesec%20Report.pdf

[11] https://www.worlddata.info/country-comparison.php?country1=SSD&country2=USA

[12] https://blog.cloudflare.com/ddos-attacks-on-australian-universities/

[13] CyberCX notes that this claim is almost certainly highly inflated. The highest volume publicly reported application-layer DDoS attack occurred in February 2023 and peaked at 71 million requests per second. Attacks at this scale are likely to be rare, with the second highest volume attack occurring in June 2022 and peaking at 46 million requests.

 


Guide to CyberCX Cyber Intelligence reporting language

CyberCX Cyber Intelligence uses probability estimates and confidence indicators to enable readers to take appropriate action based on our intelligence and assessments.

Probability estimates – reflect our estimate of the likelihood an event or development occurs
Remote chance Highly unlikely Unlikely Real chance Likely Highly likely Almost certain
Less than 5% 5-20% 20-40% 40-55% 55-80% 80-95% 95% or higher

Note, if we are unable to fully assess the likelihood of an event (for example, where information does not exist or is low-quality) we may use language like “may be” or “suggest”.

Confidence levels – reflect the validity and accuracy of our assessments
Low confidence Moderate confidence High confidence
Assessment based on information that is not from a trusted source and/or that our analysts are unable to corroborate. Assessment based on credible information that is not sufficiently corroborated, or that could be interpreted in various ways. Assessment based on high-quality information that our analysts can corroborate from multiple, different sources.

Other Cyber Security Resources

CycberCx CTA Background

Ready to get started?

Find out how CyberCX can help your organisation manage risk, respond to incidents and build cyber resilience.