By 
Guardian of the connected world, NETSCOUT has made use of its extensive internet visibility to closely scrutinise the disruptive endeavours of Anonymous Sudan, a prolific threat actor engaged in recent widespread distributed denial-of-service (DDoS) attacks, in order to better understand its methodologies and impacts.
RELATED: Innovative Netscout solution protects customers from cyberattacks
Targeting Africa and beyond, this group aligns its actions with a pro-Russian, anti-Western agenda, while exhibiting political and seemingly religious motivations.
De-anonymising Anonymous Sudan
According to a recent NETSCOUT blog, Anonymous Sudan surfaced on a Russian-speaking Telegram channel earlier this year, in the wake of a public Quran-burning incident in Sweden. Initially posting in Russian and later shifting to Arabic and Sudanese dialects, the group’s evolution raised suspicions about its origins.
Despite the name, its actions often bypass non-Western issues related to Sudan or Islam, favouring alignment with pro-Kremlin objectives, with operational tactics suggesting a departure from typical hacktivist behaviours, and pointing more towards entities with substantial financial backing.
The victims of Anonymous Sudan’s attacks cover a wide spectrum, comprising prominent networks of various types, such as content delivery networks (CDNs), cloud services and messaging platforms, and enterprise organisations in sectors including airlines, education, finance, government, healthcare and petroleum distributors. Activities are concentrated heavily on targets in the USA, Sweden, France, other NATO member states, African regions including Kenya and Nigeria, and former Soviet-bloc countries.
Operational patterns and methods
Anonymous Sudan exhibits a consistent pattern of attacking publicly threatened targets, the NETSCOUT study says, boasting impact through reachability tools like Down Detector. The group strategically times its assaults during high-demand periods for maximum effect (for example, attacking NETFLIX during peak US consumer periods), targeting web server infrastructure predominantly through multi-vector attacks combining TCP-based direct-path and UDP reflection/amplification vectors.
NETSCOUT’s analysis reveals significant attack bandwidths and throughputs, reaching a maximum of 284 Gbps and 57 Mpps, respectively.
The next phase of the analysis focused on attack sources used in a DDoS attack comprised of three distinct waves, targeting a large financial organisation. In total, 259,000 unique attack sources participating in this attack were observed, according to the blog.
In each wave of the attack, an increase of 50,000 addresses was seen. This does not translate into higher attack traffic volumes, but likely accounts for the constant vector changes, which require different types of attack infrastructure. The third wave highlights this explicitly, with the addition of many different reflection/amplification vectors and increased use of direct-path attack vectors.
Fingerprinting Anonymous Sudan
NETSCOUT’s analysis has successfully identified attack fingerprints associated with over 20 confirmed Anonymous Sudan DDoS attacks.
Says the blog: “After applying the fingerprint to our entire dataset, we found 629k additional attacks in 2023, which were initiated using attack sources also employed by Anonymous Sudan. It is very unlikely that all these attacks were performed by Anonymous Sudan, considering their modus operandi and stated goals. Moreover, the top 1k most similar attacks targeted Internet broadband access providers, a common target of criminal users paying for access to DDoS-for-hire services.”
Mitigation strategies for Africa
Bryan Hamman, NETSCOUT’s regional director for Africa, emphasises the critical need for proactive defence measures against such threats: “Africa has not escaped these attacks unscathed; we’ve seen multiple incidents claimed by Anonymous Sudan targeting organisations in both Kenya and Nigeria recently. This underscores the urgent need for local businesses to understand the techniques and methodologies of threat actors like Anonymous Sudan, as well as to ensure that they have comprehensive defence strategies in place, leveraging real-time threat intelligence.
“While Anonymous Sudan has seen success, stemming from the alignment of its threats with actual attacks and the unpreparedness of targeted entities, the group also just represents the latest iteration of ideologically motivated DDoS attacks, something that NETSCOUT has observed for more than 25 years.”
Hamman notes that NETSCOUT has been able to eliminate the vast majority of observed DDoS attack sources used by Anonymous Sudan. He clarifies: “Leveraging its comprehensive DDoS ecosystem view, NETSCOUT provides its customers with ATLAS Intelligence Feed (AIF), a curated, real-time, operationally-focused DDoS threat intelligence resource, enabling the elimination of approximately 92 percent of observed DDoS attack sources used by Anonymous Sudan.
“The integration of AIF-based attack mitigation and interactive DDoS countermeasures into NETSCOUT’s defence solutions empowers network operators to effectively mitigate various DDoS attacks, including those orchestrated by Anonymous Sudan.
“NETSCOUT remains vigilant in its mission to combat such threats and secure African cyberspace and beyond,” Hamman concludes.
For more information on NETSCOUT’s Arbor DDoS Protection range of solutions, please visit https://www.netscout.com/arbor
