Expensive Proxies Underpin Anonymous Sudan DDoS AttacksPaid IT Infrastructure Undermines Hacktivism Claim of Pro-Russia Group
Pro-Russian and self-declared "hacktivist" group Anonymous Sudan appears to use expensive online infrastructure to perpetuate distributed denial-of-service attacks, undermining its claim to be a volunteer group operating from an impoverished East African country.
Australian cybersecurity firm CyberCX said in a Monday blog post that it had examined traffic sources of Anonymous Sudan attacks in March against in-country targets.
It discovered a high rate of paid proxies used to conceal traffic sources that amounted to at least one-third of the attack traffic volume. The real percentage of traffic originating from proxies is likely higher, given that proxies by design are difficult to identify and track, the firm said. It's unlikely the group abused free trial offers from proxy providers given "consistent, very high capitalization of the same paid proxies in attacks separated by six days."
CyberCX said there's also a "real chance" the source of the proxied traffic is paid cloud infrastructure.
The group's bill for IT infrastructure plausibly adds up to tens of thousands of dollars, and CyberCX assesses that the proxy infrastructure alone likely costs at least AU$4,000 a month. Anonymous Sudan has also touted a DDoS-as-a-service provider.
Anonymous Sudan emerged in January purportedly to carry out retaliation for a Quran-burning incident in Stockholm by a dual Danish-Swedish national far-right politician. It has carried out a series of DDoS attacks on Western targets. European media have reported that a key figure behind the Quran-burning incident is a former contributor to Kremlin-funded propaganda outlet RT who has personal ties to Russia. CyberCX says Anonymous Sudan's creation dates to three days prior to the book-burning incident.
Microsoft belatedly acknowledged late last week that Anonymous Sudan is behind a spate of outages affecting Azure and Microsoft 365 (see: DDoS Attacks Culprit of Recent Azure, Microsoft 365 Outages).
Multiple cybersecurity firms have already cast doubt over Anonymous Sudan's identity. Swedish cybersecurity firm Truesec concluded in February that Anonymous Sudan is most likely a Russian information operation. Trustwave in March found "a very strong possibility that Anonymous Sudan is a subgroup of the pro-Russian threat actor group Killnet."
CyberCX also fingers Russia, saying that Anonymous Sudan openly identifies as part of pro-Russian hacktivist group Killnet. It took a month to publish a post in Arabic on its Telegram channel, and the group mostly publishes in English and Russian. Anonymous Sudan claims to respond to anti-Islamic bigotry but periodically attempts to monetize its activities. "CyberCX notes Russian’s long-standing use of religious-related disinformation to polarize Western societies," the company said.