SERIANU CYBER SECURITY ADVISORY

Advisory Number: 2023/12

Advisory Title: ANONYMOUS SUDAN

Date Issued: JULY, 2023

Introduction
Serianu is closely monitoring the recent reports of attacks targeting public and private organizations in
the region.

Below is a detailed advisory but we recommend that public and private organizations review and bolster
their current DDoS defenses and closely monitor public facing digital assets for threats and
vulnerabilities.

Who Are Anonymous Sudan?

A threat actor identifying as “Anonymous Sudan” has been conducting denial of service (DDoS) attacks
against multiple organizations most recently in Kenya. This group claims to be “hacktivists,” politically
motivated hackers from Sudan.

Anonymous Sudan emerged in Sudan in response to the country’s ongoing political and economic
challenges. In 2019 a popular uprising led to a military coup that ousted President Omar al-Bashir. Since
then Anonymous Sudan has continued to be a vocal and active presence in the country’s political
landscape.

The group has been seen actively participating in attacks initiated by Killnet (A Russian Threat Actor
Group) as it claims to be a part of Killnet. Multiple large and famous Russian hacktivists were observed
promoting Anonymous Sudan in their private and public telegram channel.

A representative from Anonymous said that Anonymous Sudan is not Anonymous and that there is no
connection between them.

TTP (Tactics, Techniques, and Procedures)

The group has three main attack vectors as observed until now, out of the three, DDoS attacks are the
predominant ones in comparison to the other two. The attack vectors are:

1. Defacement Attacks: Defacement (T1491.001: internal defacement, T1491.002: external

defacement )

 The Hacktivist group modifies websites and adds images & Videos of their cause with Names
and Account IDs which violates the integrity of the webpage and the domain.

2. DDoS Attacks (Network Denial of Service(T1498.001: Direct Network Flood, T1498.002: Reflection
Amplification)):

 The Hacktivist group conducts DDoS attacks on organizations to disrupt or shut down the online
operations of the targeted organizations, causing inconvenience or damage to their operations.

 The DDoS Attack method has been the most employed attack vector for the group.

 IOCs for the DDoS attacks have been attached in the below IOC Section

3. Compromise Accounts ( T1586.002: Email Accounts)

  In some observed instances, the group has been found to compromise the accounts of users of
the targeted entities. This is likely accomplished through a method known as credential stuffing,
which involves using compromised data that is openly available from various sources on Dark
web forums & Telegram Channels.

 This technique involves the automated injection of previously breached username and password
combinations into login pages, in order to gain unauthorized access to the targeted accounts of
users of the organization.

Information on the Group

 The group “Anonymous Sudan” has been observed to conduct DDoS attacks and breach multiple
public and government organizations since January 2023.

 They identify themselves as Sudanese hacktivists with political motivations.

 The group has been seen actively participating in attacks initiated by Killnet as it claims to be a
part of Killnet.

 Multiple large and famous Russian hacktivists were observed promoting Anonymous Sudan in
their private and public telegram channel.

 A representative from Anonymous that Anonymous Sudan is not Anonymous and that there is
no connection between them.

It was mentioned by a source that Anonymous Sudan uses a cluster of 61 paid servers hosted in
Germany to generate the traffic volume required for a DDoS attack.

Threat Actor Activity and Rating

Threat Actor Profiling

Active since January 18, 2023

#AnonymousSudan #Infinity Hackers Group #KILLNET #ANONYMOUS RUSSIA

Hashtags
#FuckNato #OpSweden #OpSudan

Geolocation Claimed to be from Sudan but Telegram registration denotes Russia.

Multiple public organizations in:

 Sweden
Past Victims
 India

 Israel
  United States of America

 Denmark

https://t.me/AnonymousSudan

Telegram https://t.me/AnonymousSudan_Bot

https://t.me/+flWdInuMyGpmZTMx

Hacktivist
Infinity Hackers Group, Killnet, Anonymous Russia, MistNet, UserSec
Association

IOCs (Indicators of Compromise)

IP Address

101.167.152.76 101.167.152.90

109.235.139.13 213.61.253.152

213.61.253.250 213.61.254.11

213.61.254.36 217.110.80.14

Impact & Mitigation

Impact

 DDoS can leave websites more vulnerable as some security features may be offline due to the
attack.

 Damaged infrastructure can cause the collapse of services provided by the website.

 Websites become vulnerable to further attacks.

 Discrepancies for users accessing affected websites and resources

Mitigation

 Deploy load balancers to distribute traffic.

 Enable rate-limiting mechanisms.

  Configure firewalls and routers to filter and block traffic.

 Utilize content delivery networks (CDNs) to distribute traffic.

 Implement bot-detection technologies and algorithms -to identify large-scale web requests from
botnets employed by actors to conduct DDOS Attacks.

 Using a well configured and updated WAF (Web Application Firewall).

 Using a reputation checker to assess the reputation prior to permitting the traffic through the
firewall.

 Dropping external traffic from countries you do not expect traffic from.

 Organizations to consult with their Internet Service Providers (ISPs) or web hosting service
providers to determine what mitigation capabilities they have implemented.

 Organizations that do not have a backup Internet Service Provider should consider procuring a
backup or alternative service incase their primary service provider is compromised.

 Procuring of an Anti-DDoS solution such as Cloudflare.

Modus Operandi
Anonymous Sudan operates by using a network of remote-controlled computers (botnet) to flood a
targeted website with traffic, making the site inaccessible to legitimate users.

The attacks are characterized as Web DDoS (Distributed Denial of Service) attacks combined with
alternating waves of UDP and SYN floods. Attacks originate from tens of thousands of unique source IP
addresses with UDP traffic reaching up to 600Gbps and HTTPS request floods up to several million RPS.

The group leverages public cloud server infrastructure to generate traffic and attack floods while
leveraging free and open proxy infrastructures to hide and randomize the source of the attacks.

The group tends to use application layer DDoS botnets, SkyNet / Godzilla although they also have layer
4 capabilities.

The application layer DDoS attacks are used to target user-facing applications and networks. These
attacks target application layer protocols with the intention of disrupting services and can go
undetected by traditional defense systems. Some of the common techniques include request floods,
application vulnerability exploitation, application-specific attacks such as XML-RPC floods, and zero-day
vulnerability exploits.

Distinguishing between attack traffic and normal traffic is difficult, especially in the case of an
application layer attack such as a botnet performing an HTTP/S Flood attack against a victim’s server.
Each bot in a botnet makes seemingly legitimate network requests the traffic is not spoofed and may
appear “normal” in origin.

Microsoft said it had observed the threat group “launching several types of layer 7 DDoS attack traffic,”
including:
  HTTP(S) flood attack, which “aims to exhaust the system resources with a high load of SSL/TLS
handshakes and HTTP(S) requests processing.” Targets port 443

 Cache bypass, which “attempts to bypass the CDN layer and can result in overloading the origin
servers.”

 Slowloris, “where the client opens a connection to a web server, requests a resource (e.g., an
image), and then fails to acknowledge the download (or accepts it slowly). This forces the web
server to keep the connection open and the requested resource in memory.”

The group is observed to endorse application layer DDoS botnets, SkyNet (t.me/xSkynet) and Godzilla-
Botnet (t.me/xGodzillAxNewSxPoweRxProofs). They also claimed to have tested the botnets and had
positive results on the targets.

Prevention
To help prevent attacks, experts recommend verifying Anti-DDoS configurations, ensuring your sites are
protected, and having your NOC monitor ISP lines for abnormal traffic.

It is also important to scan your website frequently for potential security loopholes and ensure that all
necessary updates are installed to prevent possible attacks.

Conclusion
“Anonymous Sudan” has nothing to do with the greater Anonymous collective or the original Sudanese
#OpSudan. They appear to be belong to an ecosystem of Russian hacktivist collection of groups that
include KillNet and other groups, some of which are reported to have affiliations with Russian
Intelligence and security services, although this is not confirmed. Anonymous Sudan amplifies actions by
Russian hacktivists and are in turn amplified by Russian hacktivist groups.

Anonymous Sudan has access to paid infrastructure in the form of 61 servers for their attacks suggests
that someone is financing them and they are not simple activists.

Information Sharing
As a means of preventing such attacks from occurring, we encourage any organization or
individual that have any information related to Email Security share it with us through our email
[email protected] to allow us to analyze any indicators of compromise (IOC).
We will continue to closely monitor different threat intelligence sources for more information.