Who are Anonymous Sudan? Hacker group behind behind Twitter outage mocks Elon Musk’s rebrand

A hacking group whose origins have been traced to Russia are believed to have carried out attacks worldwide  (Alamy/PA)
A hacking group whose origins have been traced to Russia are believed to have carried out attacks worldwide (Alamy/PA)

A prolific hacktivist group known as Anonymous Sudan has taken credit for a widespread outage that affected X, formerly Twitter, on Tuesday.

At one stage, there were more than 2,700 incidents of people in the UK reporting issues with X, and thousands more in the US, according to Downdetector, a website that tracks problems with online services.

As the disruption continued, Anonymous Sudan took to Telegram to poke fun at Elon Musk’s recent rebranding of Twitter. Pointing to the error message on the website, the group said: “Elon Musk has not changed the bird’s logo on this page yet.”

The X outage marks the prolific outfit’s latest high-profile cyberattack. It previously targeted Microsoft’s Outlook email service, social platform Reddit, and fanfiction site Archive of Our Own.

Despite its self-proclaimed status as a politically motivated hacking group from Sudan, cybersecurity experts have traced its roots to a murky ecosystem of Russian cybercriminals.

Here’s what we know about Anonymous Sudan.

Who are Anonymous Sudan?

Cybersecurity experts have been raising alarm bells about Anonymous Sudan since it surfaced in January.

Researchers from TrueSec initialy rubbished the group’s claims that it was associated with the Anonymous online activism collective and that it operated from Sudan.

Instead, the experts said the group appeared to belong to a coterie of Russian hacktivist collectives with names such as KillNet and UserSec. These crews work closely to spread pro-Kremlin propaganda and to target Ukraine’s allies in the West, the firm explained.

TrueSec also found several clues that betrayed Anonymous Sudan’s true identity, including its use of messaging app Telegram, a popular communications tool for Russian hackers.

Anonymous Sudan’s account on the chat app was listed as being located in Russia, and the group had interacted with other Russian-linked hacktivists on the service. Most of its posts on the app were also made in English and Russian and not Arabic.

The researchers also said the organisation’s use of paid infrastructure in its previous attacks — including 61 servers that were used to direct traffic to crash a service — indicated that it had a major financier.

“It’s likely that someone in the Russian government, or the circle around President Vladimir Putin, is financing Anonymous Sudan’s operations and pays KillNet to conduct the attacks,” Mattias Wåhlén, a TrueSec threat intelligence expert, said recently.

Fellow cybersecurity firm CyberCX echoed the findings in a recent report. The company added that most hacktivists conduct their plans in a semi-public way online, but Anonymous Sudan had abruptly announced targets as they were being targeted.

What attacks have Anonymous Sudan carried out?

Microsoft revealed in June that a cyberattack caused its Outlook email service to go down for as many as 18,000 users. It said that Anonymous Sudan was the culprit.

In recent weeks, the group has also taken responsibility for attacks on Reddit and Archive of Our Own. The latter was down for more than 24 hours due to the distributed denial-of-service attack, which led to its site being overwhelmed by a deluge of traffic.

Aside from the attacks on internet services earlier, Anonymous Sudan is thought to have conducted several notable cyberattacks in Australia, Scandinavia and Israel.

The group has claimed responsibility for at least 24 distributed denial-of-service (DDoS) attacks on Australian companies, including healthcare, aviation and education organisations.

Anonymous Sudan claimed the wave of attacks was in protest against clothing worn at a Melbourne fashion festival with “God walks with me” written on it in Arabic.

Anonymous Sudan also took credit for similar cyberattacks targeting dozens of hospitals, banks and airports in Denmark and Sweden since February. At the time, the organisation said the attacks were in response to the burning of a koran in front of the Turkish embassy in Stockholm earlier this year.

The group is also believed to have hacked Israel’s rocket defence systems, banks and news sites.