3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Anonymous Sudan

Anonymous Sudan

ID: 07b6bffbe1da7c5177abf105066332ed43345
Hacktivist Group Collective DDoS Crew Hacktivism
Threat types: DDoS Attack, Defacement, Intrusion, Extortion, Pro-Palestine
Sudan
Updated: 2026-02-20
Created: 2025-10-19
Progress: 55% Completeness: 49% Freshness: 70%
Operation zone:
Aliases Limited alias preview
AnonymousSudan
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Anonymous Sudan — high-tempo DDoS/extortion hacktivists active since 2023. Publicly linked by Microsoft to Storm-1359 Layer-7 DDoS waves; associated in 2023 with KillNet/REvil propaganda arcs. U.S. indictment (Oct 2024) charged two Sudanese nationals with operating the group and conducting tens of thousands of DDoS attacks. Capability: low–moderate technically, high in tempo and media impact.


Technique Technique name Tactics Evidence
T1498 Network Denial of Service TA0040
  • 2023-06-16 — Microsoft: Storm-1359 executed L7 DDoS against Microsoft services; disruption and publicity noted. · ref
  • 2023-02-14 — SAS outage (website/app) claimed by Anonymous Sudan; extended service degradation reported. · ref
T1657 Financial Theft TA0040
  • 2023-05-30 — Group demanded $3M from SAS to halt DDoS, indicating profit-driven coercion. · ref
T1585 Establish Accounts TA0042
  • 2023-2024 — Use of Telegram channels for tasking, claims, and advertising attack services; later silent post-indictment. · ref
T1102 Web Service TA0011
  • 2023-2024 — Operational broadcast via Telegram/social services; co-campaign narratives with KillNet/REvil. · ref
T1589 Gather Victim Identity Information TA0043
  • 2023 — Event-driven targeting aligned to geopolitics (elections/sanctions/conflict), indicating OSINT-led victim selection. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-19T05:11:12+00:00
Anonymous Sudan — High-Tempo DDoS / Extortion Hacktivists (2023–2025)

CLASSIFICATION: Unclassified / Open Source


Executive Summary

Anonymous Sudan is a prolific DDoS-focused hacktivist label active since early 2023, responsible for high-visibility availability attacks and public extortion against airlines, tech platforms, and government targets. Microsoft publicly associated the actor it tracks as Storm-1359 with the June 2023 Microsoft 365/Azure Layer-7 DDoS waves (focus on “disruption and publicity”) and described access to botnets/open proxy infrastructure. Reporting ties Anonymous Sudan’s operations to KillNet/REvil propaganda arcs in 2023; however, a U.S. federal indictment (Oct 16, 2024) charged two Sudanese nationals with operating and controlling Anonymous Sudan, crediting them with tens of thousands of DDoS attacks and detailing targets across critical infrastructure and the private sector. Impact has ranged from hours-long outages (e.g., SAS airline, Microsoft services, ChatGPT) to extortion demands and claimed targeting of Israeli alerting systems during wartime. Overall capability: low–moderate technical, high operational tempo and media impact. Confidence: high for the core picture (Microsoft/Cloudflare/LE sources).


  • Branding & narrative. Self-presented as Sudanese/Islamic hacktivists; messaging aligned to anti-Western/anti-Israeli positions and topical geopolitical triggers. Analysts in 2023 frequently linked the group’s propaganda to pro-Russia hacktivist ecosystems (e.g., KillNet), especially when joint threats were issued.
  • Attribution break. DoJ/Europol (Oct 2024) identified two Sudanese nationals as operators, challenging the earlier “pure front for Russia” hypothesis (though co-campaigning with pro-Russia labels still occurred).
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/8
Address Verification SOCMINT
t.me/xAn************ Restricted Not integrated
t.me/Sha********** Restricted Not integrated
t.me/xAn************* Restricted Not integrated
t.me/Ano*************** Restricted Not integrated
t.me/Ano*************** Restricted Not integrated
t.me/Sud************ Restricted Not integrated
t.me/ano******************* Restricted Not integrated
t.me/Ano************* Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.