The wave of cyber-attacks that befell Kenya recently by ‘Anonymous Sudan’ has been linked to a group of hackers in Russia.
According to Pan-African cybersecurity consulting firm, Serianu Limited, ‘Anonymous Sudan’ is a code name for a threat actor that has been conducting denial of service (DDoS) attacks against multiple organizations, the most recent being in Kenya.
Serianu alleges that the organization of self-described “hacktivists” is made up of politically motivated hackers from Sudan.
“Anonymous Sudan emerged in Sudan in response to the country’s ongoing political and economic challenges. In 2019, a popular uprising led to a military coup that ousted President Omar al-Bashir. Since then Anonymous Sudan has continued to be a vocal and active presence in the country’s political landscape,” writes Serianu in a cyber threats advisory to public and private organizations.
The Anonymous Sudan group has been seen to actively participate in attacks initiated by a Russian threat actor group identified as Killnet and has voiced claims of being part of the Russian group.
Flashpoint Intel researchers claim that there is a likelihood that Anonymous Sudan is actually a state-sponsored Russian actor disguising themselves as Sudanese actors with Islamist motivations.
“Despite obfuscations on official Anonymous Sudan channels as to their identity and affiliations, the employment of social media or public facing accounts under the “hacktivist” banner is consistent with previous tactics, techniques, and procedures employed by Russian State-sponsored adversaries,” says Flashpoint in a report.
During the attack on the government’s eCitizen portal, ICT Cabinet Secretary (CS) Eliud Owalo confirmed that the hackers attempted to jam the portal through an overload of data requests, insisting that no personal data had been accessed or lost.
“They tried jamming the system by making more requests into the system than ordinary, which led to the slowing down of the system,” said Mr Owalo.
DDoS has emerged as the ‘hacktivist’s go-to weapon of choice every time it seeks to deploy attacks on a victim’s infrastructure.
This form of cyber-attack is aimed at flooding a server with internet traffic to prevent users from accessing connected online services and sites.
It ends up disrupting a service or network rendering it inaccessible to its normal users.
Serianu says that Anonymous Sudan uses a cluster of 61 paid servers hosted in Germany to generate the traffic volume required for a DDoS attack.
The grouping first popped to the surface on January 18, 2023, claiming to be from Sudan but its Telegram registration denotes Russia.
Since then, it has been found to have raided multiple organizations in Sweden, India, the USA, Denmark, and Israel with attacks before it landed in Kenya and most recently in Nigeria.
Some of the most popular hashtags associated with the group in online conversations include #AnonymousSudan, #Infinity Hackers Group, #KILLNET, #ANONYMOUS RUSSIA, #OpSweden and #OpSudan.
According to Serianu, Anonymous Sudan operates by using a network of remote-controlled computers (botnet) to flood a targeted website with traffic, making the site inaccessible to users.
“Attacks originate from tens of thousands of unique source IP addresses with UDP traffic reaching up to 600Gbps and HTTPS request floods up to several million RPS,” notes Serianu.
The consultancy firm further opines that the hackers leverage cloud server infrastructure to generate traffic and attack floods while leveraging free and open proxy infrastructures to hide and randomize the source of the attacks.
“These attacks target application layer protocols with the intention of disrupting services and can go undetected by traditional defense systems,” says Serianu in the advisory paper.
“Some of the common techniques include request floods, application vulnerability exploitation, application-specific attacks such as XML-RPC floods, and zero-day vulnerability exploits.”
Cybercrime experts recommend verifying Anti-DDoS configurations, and ensuring sites are protected on top of ascertaining that the established network operations centre has the capacity to monitor the internet service provider (ISP) lines for abnormal traffic.
Other measures include scanning the website frequently for potential security loopholes and ensuring that all the necessary updates are installed to prevent possible attacks.