Menu
Browse

Cyber Threat Actor: Anonymous Sudan

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Activist
Sudan
31 incidents
Profile

Anonymous Sudan, also tracked as Storm‑1359 by Microsoft, is a threat actor that has claimed responsibility for a series of distributed denial‑of‑service attacks and related disruptions since early 2023. The group operates under the alias Anonymous Sudan and has been linked to the Sudan region in open‑source reporting, though its operational base is not definitively established in the provided material. It presents itself as a hacktivist collective but has been described by third‑party researchers as exhibiting motives that extend beyond pure ideology.

The actor’s targeting pattern, as evidenced by the cited incidents, spans multiple sectors and geographic regions. Educational institutions such as the University of Cambridge have been hit with DDoS attacks that disrupted online services. Media organizations including the Associated Press and Israeli news outlets have experienced service interruptions attributed to the group. Government‑related targets include the U.S. Treasury’s Electronic Federal Tax Payment System, Kenya’s eCitizen portal, and the Canadian healthcare employers’ organization that processes payroll and benefits. Financial services have been struck through attacks on Stripe’s payment dashboard and attempts to monetize stolen data from Air France. Technology platforms such as Microsoft Outlook.com and Azure services have also faced claimed DDoS campaigns. In addition, the group has claimed actions against transportation and infrastructure targets, including Scandinavian Airlines, Swedish public television, German airports, Danish hospitals, Israeli banks, news websites and a missile‑warning system, often citing political grievances such as UK foreign policy in Gaza and Yemen, U.S. involvement in Sudanese affairs, Israeli policies toward Palestine, and the burning of a Quran during Stockholm protests.

Observed tactics, techniques and procedures are largely centered on distributed denial‑of‑service campaigns, which the group repeatedly claims to launch against online portals and services. In the compromise of Israeli President Isaac Herzog’s Telegram account, the actor reportedly used phishing techniques to obtain credentials, indicating a capability for credential‑harvesting operations. Trustwave research cited in the source material notes that the actor attempted to sell data stolen from the French flag carrier Air France, suggesting a financially motivated dimension to some of its activities. No specific malware families or custom tooling are described in the provided sources beyond the use of DDoS traffic and phishing messages.

Attribution and affiliation information comes from third‑party research rather than direct attribution by the actor itself. Truesec has assessed that Anonymous Sudan is “most likely created as part of a Russian information operation to harm and complicate Sweden's NATO application,” noting that the group’s Telegram account lists a user location in Russia and that most of its targets are nations supporting Ukraine in its conflict with Russia. Separately, Trustwave has indicated that there are indications Anonymous Sudan may be a sub‑group of the pro‑Russian state‑sponsored hacker collective Killnet, a relationship the group has openly acknowledged. The same Trustwave analysis also points to possible financial motivation, citing the attempted sale of the Air France data. These assessments represent the only publicly stated linkages to state or criminal affiliations present in the material. The actor remains active in conducting disruptive campaigns that blend protest‑driven messaging with occasional attempts at monetary gain.

Incidents
Attributed incidents available to members
31 incidents
Sources
Sources available to members
8 sources