Skip Navigation

June 27, 2023 |

‘Anonymous Sudan’ more likely a Russia-based group supporting a pro-Russian agenda

Loading table of contents...

Source: CyberNews


Cybersecurity experts believe that Anonymous Sudan, a group that claimed responsibility for recent DDoS attacks on Microsoft Outlook, UPS, and Scandinavian Airlines, is likely a Russia-based group supporting a pro-Russian agenda.

The supposed pro-Sudanese group primarily posted to its Telegram channel in Russian and English, later switching to Arabic and Sudanese, but only after researchers questioned why a Sudanese group would converse mostly in Russian.

Anonymous Sudan’s modus operandi is very similar to another pro-Russian DDoS group, KillNet, which has been targeting Western organizations and governments supportive of Ukraine. In mid-June, Anonymous Sudan, KillNet, and Russian-based ransomware actor REvil announced that they had formed a “Darknet Parliament” and began targeting the European banking industry shortly thereafter.


Field Effect assesses that KillNet and Anonymous Sudan are likely sponsored by Russia’s Federal Security Service (FSB). The FSB has a history of contracting criminal hackers to provide the Russian Government with plausible deniability for low-risk and high-reward activities such as DDoS attacks on Western targets.

Anonymous Sudan was likely established with the intent of upping the intimidation factor of the pro-Russian DDoS attacks, and its supposed-Sudanese origin is a thinly veiled attempt of making it appear like a distinct entity.

Although DDoS attacks are initially effective at knocking their targets offline, they usually aren’t sustainable for long periods of time, and targets typically recover once proper mitigations are put in place. However, even a short period of downtime can cause a significant loss of revenue, customer dissatisfaction, and reputational risk.

DDoS attacks are a popular attack vector for threat actors with low technical skills, as legitimate network stress tools can easily be found online and repurposed for malicious use. Threat actors often amplify their attacks by recruiting their social media followers to participate, providing them with the required instructions and tools.

Additionally, a high number of open proxies and DNS resolvers can be leveraged for DDoS attacks making it difficult for defenders to counter DDoS attacks by blocking IP addresses alone.


Having a firewall will usually not stop the high volume of traffic generated during a DDoS attack at the scale of those conducted by Anonymous Sudan and KillNet. To properly mitigate, organizations should deploy specific DDoS prevention solutions aligned with your infrastructure and online presence that are designed to counter various types and volumes of DDoS attacks.