Expensive Proxies Underpin ‘Anonymous Sudan’ DDoS Attacks

Pro-Russian and self-declared “hacktivist” group Anonymous Sudan appears to use expensive online infrastructure to perpetuate distributed denial of attacks, undermining its claim to be volunteers operating from an impoverished East African country.

See Also: OnDemand Webinar | Learn Why CISOs Are Embracing These Top ASM Use Cases Now

Australian cybersecurity firm CyberCX says in a Monday blog post it examined traffic sources of Anonymous Sudan attacks against Australian targets made in March.

It discovered a high rates of paid proxies used to conceal traffic sources that amounted to at least a third of the attack traffic volume. The real percentage of traffic originating from proxies is likely higher, given that proxies by design are difficult to identify and track, the firm adds. It’s unlikely the group abused free trial offers from proxy providers given “consistent, very high capitalization of the same paid proxies in attacks separated by six days.”

CyberCX says there’s also a “real chance” the source of the proxied traffic is paid cloud infrastructure.

The group’s bill for IT infrastructure plausibly adds up to tens of thousands of dollars, with CyberCX assessing that the proxy infrastructure alone likely costs at least AU$4,000 a month. Anonymous Sudan has also touted a DDoS-as-a-service provider.

Anonymous Sudan emerged in January purportedly to carry out retaliation for a Quran burning incident in Stockholm by a dual Danish-Swedish national far-right politician. It has carried out a series of DDoS attacks Western targets. European media have reported that a key figure behind the Quran burning incident is a former contributor to Kremlin-funded propaganda outlet RT who has personal ties to Russia. CyberCX says Anonymous Sudan’s creation dates to three days prior to the book burning incident.

Microsoft belatedly acknowledged late last week that Anonymous Sudan is behind a spate of outages affecting Azure and Microsoft 365 (see: DDoS Attacks Culprit of Recent Azure, Microsoft 365 Outages).

Multiple cybersecurity firms have already cast doubt over Anonymous Sudan’s identity. Swedish cybersecurity firm Truesec concluded in February that Anonymous Sudan is most likely a Russian information operation. Trustwave in March found “a very strong possibility that Anonymous Sudan is a subgroup of the pro-Russian threat actor group Killnet.”

CyberCX also fingers Russia, noting that Anonymous Sudan openly identifies as part of pro-Russian hacktivist group Killnet. It took a month to publish a post in Arabic on its Telegram channel and mostly publishes in English and Russian. Anonymous Sudan’s claims to respond to anti-Islamic bigotry but periodically attempts to monetize its activities. “CyberCX notes Russian’s longstanding use of religious-related disinformation to polarize Western societies,” the company also wrote.