cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Inside Anonymous Sudan, the threat actor behind Microsoft’s recent OneDrive outage and a string of Australian hacks

Security analysts believe that the hackers behind a recent Microsoft OneDrive outage are not Anonymous-linked hacktivists but a pro-Russian group operating under a false identity.

user icon David Hollingworth
Tue, 20 Jun 2023
Inside Anonymous Sudan, the threat actor behind Microsoft’s recent OneDrive outage and a string of Australian hacks
expand image

Even more alarming is the fact that the group — which calls itself Anonymous Sudan — specifically targeted Australian organisations recently as part of a wider campaign called “opAustralia”.

According to researchers at the Australian cyber security firm CyberCX, Anonymous Sudan is named after a legitimate hacktivist group of the same name. Whereas the real Anonymous Sudan — which was a “loose hacking collective” — began its operations in 2019, the newer group started posting on its Telegram channel in January 2023.

As far as CyberCX can confirm, the two groups do not share any members, and Anonymous itself has distanced itself from the current group calling itself Anonymous Sudan. The group also originally posted only in Russian or English and only began to use Arabic in its communications once observers began to question the providence of the group.

And while the group’s operations largely seem to match up with Sudan’s own UTC-3 time zone, that zone does also cover eastern Europe and Moscow.

The group itself is probably small, possibly even consisting of one primary individual. It’s also far more coordinated in its operations than most hacktivist groups and more circumspect in announcing its targets. The group only declares targets when attacks are already underway, compared to most hacktivist groups, which prefer to announce their operations ahead of time to increase their publicity.

Anonymous Sudan has also been seen to prefer acting at certain times of day, “between UTC 6:00 and UTC 18:00”.

The other major difference between the two groups is that the original Anonymous Sudan group was pro-Ukraine and anti-Russia, whereas the new threat actor is vocally pro-Russian and publicly linked to the pro-Russian Killnet collective, which has been targeting NATO and allied countries since March 2022.

Anonymous Sudan has also been seen to work alongside Killnet affiliates, including the threat actor behind the original Medibank data breach last year.

“In June, Killnet-affiliated threat actors, including Anonymous Sudan, announced plans to launch non-DDoS attacks on Western financial institutions and the SWIFT network in conjunction with REvil,” CyberCX said in a blog post. “REvil is a formerly prominent Russia-based cyber extortion group linked to the cyber extortion attack against Medibank in October 2022.”

“CyberCX notes,” however, “that previously known REvil communications channels have not corroborated a partnership with Killnet or Anonymous Sudan. REvil’s darknet sites have been offline for at least the last four months.”

Killnet itself is almost certainly linked to Russian government agencies itself, including the FSB.

Anonymous Sudan’s own operations have been largely DDoS-based, targeting organisations in the West that it said are responsible for “anti-Islamic action or sentiment” — but this doesn’t stop the group from trying to make money from its hacking activities.

For instance, in March 2023, it advertised that it had stolen data from a number of French airlines, which it was selling online for US$3,000 in bitcoin.

In March and April, the group took part in the aforementioned “opAustralia”, which was itself planned by a Pakistan-based hacktivist group in response to the use of the Arabic text “God walks with me” on a garment worn during a Melbourne Fashion Festival event. Anonymous Sudan attacked “at least 24 Australian organisations in the aviation, healthcare and education sectors”.

OpAustralia began on 17 March, with Anonymous Sudan joining the campaign on 24 March before operations ceased on 1 April.

CyberCX has observed that the group also heavily relies upon paying for the infrastructure it uses to stage its DDoS attacks, another clue that the group is not based in economically challenged Sudan.

“Based on the identifiable aspects of proxy infrastructure we observed, we assess that Anonymous Sudan’s proxy infrastructure is likely to cost at least AU $4,000 per month of usage,” CyberCX wrote.

“While Anonymous Sudan superficially resembles other hacktivist DDoS actors, its apparent access to significant resources and its dubious ideological associations means that it poses an atypical threat.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.