Since the beginning of 2023, a new hacking collective has appeared, claiming origins in Sudan; a war-torn African country with a pre-modern societal structure, limited internet connectivity, and very low per capita incomes. A Russian private military company which executes elements of foreign policy for the Kremlin has been operating in the country for years, and the self-described Islamist hacktivist collective seems to be a poorly-disguised Russian front for attacks on the West. The group mostly uses nuisance level DDoS attacks, however, in the event of top Russian APTs carrying out significant cyber attacks on Western targets, it is likely the hacktivist auxiliaries would take credit to partially shield Moscow from the political fallout.
Fighting in Sudan is now in its third month, with no signs of ending soon. The two generals fighting for leadership of the nation are Abdel Fattah al- Burhan(the supreme commander of the national army, who initially came to power following the 2019 overthrow of longstanding Sudanese dictator Omar al-Bashir, and then solidified his position in a 2021 coup) and Mohamed Hamdan Dagalo – also known as‚ Hemeti‘ – who is the leader of the paramilitary Rapid Support Forces (RSF).
Before the secession of South Sudan, Sudan was the largest state in Africa, comprised of many different ethnic, tribal and religious groups. Sudan’s borders were arbitrarily drawn up by European colonizers in the 19th century, forcing together many naturally opposing groups of people, which has deep
repercussions to this day.
Sudan is comprised of hundreds of tribes – the largest of which having over a million members – and their territories often extend beyond formal borders (for example, into Chad or Libya). The official language of Sudan is Arabic, but in addition to this – especially in areas further away from the center – local languages are still spoken, as well as simplified Arabic mixed with local influences, often to the point of incomprehensibility to other Arabic speakers. In Darfur in western Sudan, Chadic Arabicis is spoken, which is also used in neighboring Chad as a language of communication between tribes and nationalities. The loyalty of ordinary Sudanese, especially in the more remote regions, has always been first and foremost towards kinship and tribal identities, not to the state. The precedence of Sudanese identity over tribal affiliation is limited to the wealthy elite in the capital.
Before the current eruption of violence, the country experienced two rounds of civil war, one resulting in secession of South Sudan, and another in the Darfur conflict, in which the Sudanese government attempted to restore order by allying itself with the local Bedouin tribes.
This tribal militia was known as “Janjaweed“: after being supplied with arsenal from the government, they sought to integrate them into the armed forces of the state. This group thus became the Rapid Support Forces (RSF).
Despite their patronage, the Sudanese government have never been able to subordinate them to any official command. Under the former dictator of the country; Omar Bashir, Hemeti led the RSF alongside general Burhan’s national army in Darfur. After a so-called Sovereign Council was formed following the 2021 coup against Bashir, Hemeti stepped in as Burhan’s deputy, however, their relationship became turbulent as both generals squabbled over power and how to merge the RSF into the Sudanese military.
The RSF suddenly saw a huge opportunity. Since the creation of Sudan, the ruling power has always been backed by tribesmen from the Nile Valley. The Western Bedouin tribes have been strengthened militarily and economically by the Darfur war, and have gained allies and supporters from abroad. They now seek to seize control of all of Sudan, although as unsettled tribesmen they do not possess an organizational structure that would allow them to effectively control a modern state apparatus. The clashes between the RSF and the army, which began on April 15th, have so far resulted in hefty humanitarian costs, with thousands dead, millions internally displaced, and hundreds of thousands fleeing the country.
While the root cause of the conflict is purely intra-Sudanese, there are external forces involved that transform this domestic struggle for power into a broader conflict. Sudan is a bridge that links the Middle East and Africa, and its abundant natural resources mean the battle for Khartoum has taken on a regional dimension. Gulf heavyweights; Saudi Arabia and the United Arab Emirates view the war as a chance to cement their hegemonic status in the Middle East: while Saudi Arabia and Egypt support the army, the UAE has backed RSF, same as Libyan commander Khalifa Haftar; a Russian proxy and longtime ally of Hemeti.
Russia and the United Arab Emirates have been central to the illegal gold mining operations, which have been the main source of finances for the RSF in the Sudanese goldrush, that sees most of the nation’s wealth looted and illegally exported to Russia and Gulf countries.
Wagner; the Russian mercenary group whose mutiny against the Russian state was recently reported by Cyfirma researchers, has been active in Sudan and the neighboring Central African Republic, aiming to collaborate with Hemeti’s RSF to export minerals. The Russian mercenaries are backing local tribes with the aim of undermining the traditional French-backed governments in Central Africa, Niger or Mali – an endeavour in which it seems to be succeeding.
Wagner’s role in the region is twofold: the mercenaries represent a deniable military component of Russian foreign policy, and secondly, they have a free hand in commercial contracts with local regimes and militias. The advantage for RSF is that Wagner’s services can be paid for in kind and in concessions, whereas standard
private paramilitary companies demand hard currency, something which is undeniably harder to source.
An element of Wagner‘s services are what Cyfirma researcher‘s call‚ ‘autocrat support packages‘. These are a combination of traditional political marketing services with fake social media activity, used to support various autocrats from Africa and Asia, projecting false images of popular support to third world country audiences. These services can also be supplemented by traditional military activity and protection, provided by Russian fighters of the Wagner PMC (as is the case in Central African Republic or Mali), but in Sudan, Wagner is most likely engaged only in the mineral extraction business in cooperation with RSF and providing its support in cyberspace.
Russian information operations are centered around the now infamous Internet Research Agency, known in the West as, ‘The Troll Factory‘. The agency, posing as a private business, is led by Wagner head; Yevgeny Prigozhin, and is yet another front for the Kremlin, designed to influence public opinion at home and abroad.
When researchers spotted cyber activities perpetrated by a supposed Islamist Sudanese hacktivist collective, dubbed ‘Anonymous Sudan‘, they were skeptical of their alleged affiliations. The group has been active since January 2023, and has made consistent headlines with widespread global attacks, targeting critical infrastructure and sectors, including finance, aviation, education, healthcare, software, and national governments.
Despite claiming to be Sudanese, the group’s social media posts are mostly written in Russian, with only a handful of posts written in Arabic (and a dialect of the language, not local to the country at that). In addition, the majority of the group’s targets are institutions in nations that support Ukraine in its fight against Russia.
The group’s activity bears almost none of the hallmarks that are typically observed with grassroots hacktivists collectives, but does, meanwhile, bear all of the unsubtle hallmarks of a “Made in Russia” project, along with the kind of financial backing that regular hacktivists can seldom afford (especially in a country with poor internet connectivity and a well-below global estimated average household income of US $460 per year). Researchers believe that based on the parameters of Anonymous Sudan DDoS attacks, the group is using paid cloud infrastructure for upstream traffic generation, with running costs in the realm of around $3,000 per month, which would be a luxury in Sudan, even if the group was attacking targets significant
for Sudanese Islamists.
Anonymous Sudan then attempted to interfere with Sweden’s accession to NATO. A mix of nuisance-level distributed denial-of-service attacks were used, aiming to influence Sweden’s Muslim minority, and Turkish public opinion, in hope of persuading the Turkish government to block Sweden’s accession to the treaty. In this, the group has demonstrated a depth of understanding of Swedish politics and its societal and religious frictions not commonly known in Sudan, but often exploited by actors tied to the Wagner-affiliated Troll Factory.
The group has denied Russian origins by stating they’re merely ‘repaying Russia‘ for help in the past – yet another implausible claim, since the the ongoing mass use of violence in Sudan would suggest actual Sudanese Islamist hacktivists would have more pressing concerns in their homeland.
The group has also announced a partnership with KillNet and REvil, which are other Russian auxiliaries that openly conspire to attack European banking systems in retaliation for Western sanctions. While, the hackers haven’t delivered the attack on the SWIFT interbank funds transfer system, they have been threatening, it seems they have carried out a successful nuisance level distributed denial of service (DDoS) attack against the European Investment Bank (EIB), which temporarily took down it’s website. This is the typical MO of Killnet and other Russian auxiliaries: utilize a simple DDoS to down a website of a targeted organization, and then present the action as
a major hacking victory.
Anonymous Sudan has no connection to the Anonymous group, the latter of which has even proceeded to attack the infrastructure of the former. The group also appears to have no connection to Sudan either: the entire situation is in all likelihood a false-flag operation, orchestrated by Russian intelligence services, in which the group uses pretexts to disguise Russian operations against countries Moscow considers hostile.
The institutions affected by Anonymous Sudan have been targeted with powerful DDoS attacks, costing the attackers greatly in terms of time and money, as well as collateral damage. It is unlikely that the actor has the capability and sophistication to bring down a well defended infrastructure, however, in the event of top Russian state APTs carrying out significant attacks on Western targets, it is likely the hacktivist auxiliaries would take credit to shield Moscow from the political fallout.