Campaign Summary 

Anonymous Sudan is a highly prolific threat actor conducting distributed denial-of-service attacks (DDoS) to support their pro-Russian, anti-Western agenda. Although the attacks attributed to this adversary are of political and (ostensibly) religious motivation, this group also performs acts of retaliation against messaging platforms that restrict their communications. 

NETSCOUT's broad internet visibility grants us unparalleled insight into the global DDoS attacks launched by Anonymous Sudan. In this attack campaign analysis, we will discuss observed DDoS attack capabilities and methods used by this group.

De-Anonymized Sudan   

Anonymous Sudan emerged in a Russian-speaking Telegram channel in January of 2023, after a public burning of the Quran was conducted in Sweden. Their asserted objective was to initiate online attacks against any country or organization opposing their stances on Islam- or Sudan-related matters.  

Initially, all posts to Telegram were in Russian, which called into question the veracity of the group’s selection of name and purported origin. As other researchers have noted Anonymous Sudan eventually started using Arabic in posts and eventually switched to Sudanese dialects. Many of the initial posts in Russian have since been deleted or removed.  

The group often overlooks actions taken against Sudan or Islam in non-Western countries. Their operations largely favor alignment with pro-Kremlin goals. Furthermore, Anonymous Sudan appears to use standard DDoS-For-Hire services and botnet rentals, breaking from the traditional hacktivist mentality and capabilities and behaving more like an organization with substantial financial backing. 

Adding fuel to the fire, Killnet announced the addition of Anonymous Sudan as an official member of its "hacktivist" community.

Campaign Targets 

Anonymous Sudan has previously targeted numerous prominent networks of various types, including CDNs, cloud services and messaging platforms, and enterprise organizations in various critical sectors:  

• Airlines, 
• Education, 
• Financial Services, 
• Governmental departments and ministries, 
• Hospitals, and 
• Petroleum distributors. 

These attacks span the globe with concentrations in the USA, Sweden, France, other NATO member countries and prospects, Christian-African regions, and former Soviet-bloc countries. 

Modus Operandi 

Anonymous Sudan consistently follows through in attacking targets they have publicly threatened. The detrimental impact of these attacks is demonstrated using reachability tools such as Down Detector, often accompanied by boasting on social media. However, we also find that this group often retrospectively takes credit for unrelated service outages such as those caused by flash crowds related to new product releases. Anonymous Sudan is careful to choose attack times that correspond to high-demand periods of the target. For example, NETFLIX was attacked during peak US consumer periods, and not while most American viewers were asleep. 

Attack Pattern Analysis 

We tracked roughly 20 of the most significant attacks performed by this group during August and September 2023. Because we have a global view of this activity, it allows us to assign high confidence that the following patterns portray the bulk of this group's activity. 

We first examined all DDoS attack vectors during August and September 2023. The vector matrix in Figure 1 illustrates these vectors for each unique target by industry and day pair. The most common vectors are displayed in the left region of the matrix. The multi-colored boxes indicate the presence of a given attack vector (from left to right) during a specific attack (top to bottom).

Anonymous Sudan predominantly utilizes multi-vector attacks—largely a combination of TCP-based direct-path and various UDP reflection/amplification vectors. We expected to find attacks targeting server TCP stacks to be quite prevalent, since Anonymous Sudan mostly targets web server infrastructure. Despite the high degree of TCP-based attacks, we witnessed a significant proportion of well-known UDP reflection/amplification vectors. The following table shows the prevalence of specific attack vectors as utilized by Anonymous Sudan, such as high bandwidth (large byte-size packets and/or large amounts of network traffic increasing bits-per-second), TCP attacks, UDP (a combination of various UDP reflectors/amplifiers), and finally specific UDP reflection/amplification vectors like DNS and SSDP. 

The maximum observed DDoS attack bandwidth and throughput were 284 Gbps and 57 Mpps, respectively.  

Attack Source Infrastructure 

The next phase of our analysis focuses on attack sources used in a DDoS attack comprised of three distinct waves (Figure 2), targeting a large financial organization. In total, we observed 259k unique attack sources participating in this attack. In each wave of the attack, we see an increase of 50k addresses; this does not translate into higher attack traffic volumes, but likely accounts for the constant vector changes, which require different types of attack infrastructure. The third wave highlights this explicitly, with the addition of many different reflection/amplification vectors and increased use of direct-path attack vectors. 

NETSCOUT's comprehensive view on the DDoS ecosystem enables us to globally track DDoS attack sources and abused infrastructure, which are made available to NETSCOUT customers via our ATLAS Intelligence Feed (AIF), a curated, real-time, operationally focused DDoS threat intelligence resource. By making direct operational use of AIF, NETSCOUT customers are already able to eliminate on average 92% of observed DDoS attack sources utilized by Anonymous Sudan (see Figure 3.) In addition to AIF-based attack mitigation, interactive DDoS countermeasures incorporated into NETSCOUT DDoS protection solutions allow network operators to successfully mitigate DDoS attacks of all types, including those employed by Anonymous Sudan.

Fingerprinting Anonymous Sudan Campaigns 

Leveraging DDoS attacks, observed attack vectors, and global view of Anonymous Sudan attack campaigns, we are able to create a fingerprint to track activity across more than 20 confirmed Anonymous Sudan DDoS attacks. After applying the fingerprint to our entire dataset, we found 629k additional attacks in 2023 which were initiated using attack sources also employed by Anonymous Sudan. It is very unlikely that all these attacks were performed by Anonymous Sudan, considering their modus operandi and stated goals. Moreover, the top 1k most similar attacks targeted Internet broadband access providers, a common target of criminal users paying for access to DDoS-for-hire services. 

The infrastructure used in these attacks maintains a high degree of persistence over time. The breadth and depth of our DDoS-related data horizon allows us to identify not only potentially abusable reflectors/amplifiers, but which ones are actively abused by Anonymous Sudan and other adversaries launching attack through DDoS-for-Hire services. This approach partially obfuscates attacks which can be directly attributed to Anonymous Sudan, giving them a layer of anonymity that makes it nearly impossible to exclusively pinpoint attacks from this group.  

Conclusion and Recommended Actions 

We have observed ideologically motivated DDoS attacks for more than 25 years. Anonymous Sudan is simply one of the latest. Although this threat actor makes use of well-known DDoS attack vectors and methodologies, their propensity to follow through on threatened attacks, combined with unpreparedness on the part of targeted organizations, has ensured that they have achieved a relatively high attack success rate, to date. NETSCOUT DDoS defense solutions such as Sightline/TMS and AED, when combined with our comprehensive DDoS-focused AIF Threat Intelligence, ensures that organizations which depend on the availability and resilience of their internet infrastructure and services can successfully mitigate all types of DDoS attacks, including those observed in this attack campaign.