Hacktivist group Anonymous Sudan which protested fashion festival likely linked to Russia
Hacktivist group Anonymous Sudan, which attacked Australian organisations in protest of a dress worn at Melbourne Fashion Festival, is likely linked to Russian state, report finds.
Cyber “hacktivists’’ who attacked Australian organisations in a protest over a dress at the Melbourne Fashion Festival were probably not a genuine protest group but a threat actor affiliated with Russia, a leading cyber security company has found.
CyberCX believes the group Anonymous Sudan was likely not an international collection of Muslim activists outraged by a dress that featured the word “Allah”, but an organised, well-funded group with links to Moscow.
The group was part of a campaign called #opAustralia in late March and hit 24 Australian hospitals and airports with distributed denial-of-service attacks that shut websites by overwhelming them with traffic.
In a report to be released Monday, CyberCX said investigations showed the tradecraft used by the group, its use of paid infrastructure to run its attacks, its use of English and Russian language, and its links to pro-Russian threat actors meant there was a real chance it was associated with the Russian state.
The Royal Adelaide Hospital, Burnside Hospital in Adelaide, Calvary Care, and NSW Western Sydney Local Health District, along with Sunshine Coast Airport, were among organisations hit in late March, while the group also claimed it had hit Royal Children’s Hospital in Melbourne and Royal Melbourne Hospital.
CyberCX believes Anonymous Sudan paid thousands of dollars a month for cloud services that were used to bombard the websites by routing the fake website hits through proxies.
Proxy services, which perform actions such as routing the traffic through residential IP addresses, are used to disguise where an attack is coming from and make it easier for malicious traffic such as distributed denial-of-service attacks to evade cyber security systems.
In the “Bear in Wolf’s Clothing’’ report to be released on Monday, CyberCX said Anonymous Sudan was “publicly aligned with pro-Russian threat actors and was a member of the pro-Russia hacktivist collective, Killnet”.
“Persistent low-level disruption of Western countries is consistent with established Russian information warfare strategies. Anonymous Sudan also primarily posts in English and Russian, with its first Arabic post more than a month after its creation,’’ it found.
The report said Anonymous Sudan started operations via encrypted social media channel Telegram in January, adopting the Anonymous Sudan name in an apparent reference to a 2019 operation by Anonymous, a loose hacking collective, which is globally known.
“However, CyberCX assesses with a high degree of confidence that Anonymous Sudan is unlikely to be an authentic hacktivist organisation and that Anonymous Sudan is unlikely to be geographically linked to Sudan,’’ the report found.
“Anonymous Sudan has no known overlap with the original membership of the 2019 Anonymous Sudan operation, which was anti-Russia and pro-Ukraine, and has been denounced by a prominent Anonymous account.’’
The report found the attacks were part of a broader hacktivist campaign against Australia, dubbed “opAustralia”, initiated in March by a purportedly Pakistani hacktivist group in response to clothing bearing the Arabic text “God walks with me”, displayed at the Melbourne Fashion Festival.
CyberCX found most of Anonymous Sudan’s activities occurred in the timezone that covered both Sudan and Moscow, and “operates with a level of consistent scheduling unusual for a collective of issue-motivated hacktivists”.
CyberCX chief strategy officer Alastair MacGibbon said Anonymous Sudan’s methods were “way too clinical for it to be a grassroots movement of people aligned to an interest”.
“Primarily, it’s got to do with the way we know hacktivist groups ordinarily operate and the fact this group is using infrastructure that is more expensive and more co-ordinated than they traditionally would,’’ he said.
“When you combine that with their other online activities, it tends to negate the likelihood that they are who they say they are.’’
The group had hidden behind other groups and was seeking to amplify dissent on inflammatory issues, including the burning of the Koran in Stockholm and the display of the controversial dress in Melbourne.
“They’ll look to inflame those links. It’s classic – sow division and hide behind groups who get others active,” he said.
Mr MacGibbon also noted the Russian Killnet group, which issued renewed hacking threats last week, was publicly linked with Anonymous Sudan and Revil, the Russian group that hacked Medibank last year.
CyberCX said it was “highly likely’’ some of the members of the Killnet collective were linked to the Russian state.
“In April 2023, leaked US signals intelligence reportedly linked the pro-Russian hacktivist actor and Killnet member Zarya to an intrusion against a Canadian gas pipeline,’’ the report found. “The intelligence reportedly states that Zarya was on standby for instructions from the FSB, which “anticipated that a successful operation would cause an explosion”.
“All of these loose-ties highlight that they aren’t who they say they are,’’ Mr MacGibbon said.
“I look at this as a series of conclusion. You don’t act like you say you are, you are targeting a range of institutions that also happen to be the targets of Russia. Third, you’re tied in now with groups that are definitely Russian. We are cautiously saying Russian-state linked as opposed to Russian state – there’s no smoking gun saying it’s the FSB or the GRU.
“Our theory is that as the largest non-NATO supplier of military aid, and obviously signing up to the global sanctions of its regime, Australia has become a target of Russian interest. And the Russian state has always had an interest in destabilising the West.”
More Coverage
Lawyer X admits breach of her legal obligations
Barrister-turned-police informer Nicola Gobbo has admitted she breached her duties by feeding police information about her gangland clients while representing them.
Treasurer vote threat after scathing evidence
A former ferry company boss says he was forced out of his job for wanting to tell the truth about what some are calling the biggest infrastructure stuff-up in Tasmanian history.