Pro-Islam 'Anonymous Sudan' Hacktivists Likely a Front for Russia's Killnet Operation
"Anonymous Sudan" has been claiming that its DDoS attacks are in retaliation for anti-Islamic activities, but at least one security vendor is suspicious about its true motives.
March 31, 2023
An apparently pro-Islamic group that has hit numerous targets in Europe with distributed denial of service (DDoS) attacks over the past few months may actually be a subgroup of the Russian hacktivist collective known as Killnet.
The group, which calls itself "Anonymous Sudan," has claimed responsibility for recent DDoS attacks against targets in France, Germany, the Netherlands, and Sweden. All the attacks were apparently in retaliation for perceived anti-Islamic activity in each of these countries. The attacks on Swedish government and business entities, for instance, followed an incident of Quran-burning in Stockholm. The same, or similar, reason was the trigger for DDoS attacks against Dutch government agencies and an attack on Air France, where the group — in a break from character — stole data from the airline's website rather than DDoSing it.
Anonymous Sudan's Killnet Links
Researchers from Trustwave, who have been tracking Anonymous Sudan for the past several months, this week said there is some evidence to suggest the group is a front for Killnet. In a report, Trustwave said its researchers have not been able to confirm if Anonymous Sudan is, in fact, based in Sudan or if any of its members are from that country. The group's Telegram posts are in Russian and English, and other telemetry instead point to at least some of its members being Eastern European.
Just as with Killnet, all of Anonymous Sudan's targets have been in countries that have opposed Russia's invasion of Ukraine and/or have assisted the latter in some way. It's most recent threat — on March 24 — to attack targets in Australia fits into the same patterns, as does a DDoS attack against Israeli cybersecurity vendor Radware.
Also just like Killnet, Anonymous Sudan has mostly employed DDoS attacks to send its message to intended targets. And both Killnet and Anonymous Sudan have made claims on their respective Telegram channels that officially connect to each other. In January for instance, Anonymous Sudan claimed to have assisted Killnet in a DDoS attack against Germany's Federal Intelligence Service, Trustwave said.
Just why Anonymous Sudan would brand itself as a pro-Islamic group rather than a pro-Russian group allied with — or possibly a part of — Killnet remains unclear, according to Trustwave researchers. "Anonymous Sudan has been extremely active taking credit for attacks via its Telegram channel, but details concerning the true reasoning behind its efforts remain murky."
A Noisy Hacktivist Collective
Killnet itself is a noisy hacktivist group, that, in the months since Russia's invasion of Ukraine, has hit, or claimed to hit, numerous organizations worldwide in DDoS attacks. The group has described the attacks as retaliation against the US-led support for Ukraine in the war — and indeed, all of its victims have been in countries that have rallied behind Ukraine. Most of its attacks so far have been on organizations in Europe. But in February, Killnet launched DDoS attacks against more than one dozen major US hospitals, including Stanford Health, Michigan Medicine, Duke Health, and Cedar-Sinai. Last October, the group launched DDoS attacks against multiple US airports, including Los Angeles International Airport (LAX), Chicago O'Hare, and the Hartsfield-Jackson Atlanta International Airport.
Killnet has touted these attacks as major incidents. But security experts, and victim organizations themselves, have characterized the group as a medium severity threat at worst, but one that however cannot be ignored. Following Killnet's attacks on US hospitals, for instance, the American Health Association (AHA) described Killnet's attacks as typically not causing much damage but on occasion having the potential to disrupt services for several days.
Trustwave SpiderLabs security researcher Jeannette Dickens-Hale characterizes the threat that Anonymous Sudan presents the same way.
"Based on Anonymous Sudan's recent DDoS attacks, its connection to, and similarity in tactics techniques, and procedures (TTPs) to Killnet, it appears that the group has a low to medium sophistication level," she says. "Killnet, conveniently just like Anonymous Sudan, mainly launches DDoS attacks and threatens extortion with data they may or may not have."
Trustwave SpiderLabs assesses that Killnet has the same threat level. Anonymous Sudan's recent attack against Air France and the threat to sell its data — that it may or may not actually have — could indicate an escalation in motivation and attack type, Dickens-Hale says.
Killnet's "Black Skills" Launch
Killnet's incessant attempts to drum up support for its efforts — mostly through exaggerated claims of its successes — are another thing that researchers are keeping an eye on. Flashpoint this week, for instance, reported observing Killnet's leader "Killmilk" announcing the creation of a private military hacking outfit called "Black Skills".
The security vendor assessed that Killmilk's description of Black Skills was an attempt to position Killnet as the cyber equivalent of Russian mercenary operation the Wagner Group. Earlier in March, Killnet also announced a DDoS-as-a-service offering called "Black Listing" that Flashpoint perceived as another attempt by the collective to carve a more formal identity for itself.
"Black Skills/Black Listing appear to be an attempt from Killnet to establish itself as a corporate identity," Flashpoint researchers concluded. "According to our intelligence, the new group will be organized and structured, with subgroups taking care of payroll, public relations and technical support, pen testing, as well as data collection, analysis, information operations, and hits against priority targets."
About the Author
You May Also Like
Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024The Unreasonable Effectiveness of Inside Out Attack Surface Management
Dec 4, 2024