This post is an update on the activities of the hacktivist group known as “Anonymous Sudan.” For more information and background on this group's activities, please see our previous blog post on this group.
DDoS Attacks Against Denmark
On April 2, 2023, hacktivist groups from Russia and Turkey announced simultaneous denial of service (DDoS) attacks against websites in Denmark. The Turkish hacktivist group “TurkHackTeam” also announced DDoS attacks against websites in Denmark. The affected websites were:
On the same day, a Russian group calling themselves Anonymous Sudan announced DDoS attacks against the websites of 10 different airports in Denmark.
On April 3, 2023, TurkHackTeam also announced attacks against one more Danish website: fyrstahjalp.com, while Anonymous Sudan later announced they would target several Danish municipalities as well.
Who Are Anonymous Sudan?
Anonymous Sudan is part of KillNet, a Russian hacktivist group with ties to organized Russian cybercrime. KillNet claims to be pro-Russian patriots, but in reality, they also appear to be cyber mercenaries. Research has connected KillNet to conflicts between rival criminal darknet markets in Russia, where KillNet would DDoS a darknet narcotics market in return for payment from a rival site.
Large DDoS attacks against multiple big websites requires a lot of funding. The DDoS market is mainly controlled by a few large syndicates that sell their services to other actors that act as middlemen. These middlemen bundle and resell DDoS capacity to yet other actors that do the actual targeting. It all costs money, and small hacktivists can only afford to buy so much capacity. KillNet and Anonymous Sudan must consequently be relatively well-funded operations. By comparison, the attacks by TurkHackTeam are more typical of the amateurish operations most hacktivists conduct.
Anonymous Sudan has gone to some lengths to create the impression they are Muslim hacktivists from Sudan, protesting against the actions of right-wing extremist Rasmus Paludan. Truesec’s research has shown that the group is instead highly likely Russian and part of an information operation to slow Sweden’s NATO application. It's likely that someone in the Russian government, or the circle around President Vladimir Putin, is financing Anonymous Sudan’s operations and pays KillNet to conduct the attacks.
Did the Two Groups Cooperate?
It's tempting to see the simultaneous DDoS attacks on Denmark by Turkish and Russian hackers as proof of collusion between the two groups. While reports suggest some form of cooperation between Russian and Turkish hackers, we believe it's too early to conclude that Anonymous Sudan and TurkHackTeam may have coordinated their attacks.
Since Truesec exposed Anonymous Sudan as a Russian disinformation operation, the group has gone to some lengths to try and improve their disguise and keep up the illusion that they are, in fact, Sudanese hacktivists. While still focusing on Rasmus Paludan and his burning of the Quran, they have begun to latch on to other operations by hacktivist groups like TurkHackTeam and other Muslim hacktivists.
On April 4, 2023, online activists from the Anonymous collective in several Muslim countries announced DDoS attacks against Israel as a protest against Israel; Anonymous Sudan then latched on to this and launched a DDoS attack against Israel.
It's possible that the actor behind Anonymous Sudan monitored TurkHackTeam's activities and decided to latch on to their operations. Launching DDoS attacks against Danish websites simultaneously with TurkHackTeam would serve two purposes. It amplifies attacks that keep the issue of Paludan’s action in the media, driving a wedge between Sweden and Turkey, which slows Sweden’s NATO application, and it also lets them attempt to blend in with genuine Muslim hacktivists.