Anonymous Sudan’s DDoS strikes took down nine Danish hospitals’ websites on Sunday evening. Copenhagen’s health authority tweeted that hospital care was unaffected by the attacks despite hospital websites being down. “A couple of hours” later, the sites were back online.
The Guardian called Rasmus Paludan, a Danish-Swedish “far-right politician and anti-Islam agitator,” a “far-right politician and anti-Islam provocateur.” Anonymous Sudan said on Telegram that the attacks were “due to Quran burnings” in Stockholm.
Last week, Swedish cybersecurity company Truesec reported that the organization was “most likely founded as part of a Russian information campaign to disrupt and complicate Sweden’s NATO application.”
Danish hospitals hit by cyberattack from 'Anonymous Sudan' #CyberAttack #ui via https://t.co/4hyuGbMt4K https://t.co/NiWprvoiq9
— Bad Advertiser (@0xbadad) February 27, 2023
Truesec’s threat intelligence analysis detected Telegram’s “Anonymous Sudan” account’s Russian user location. The hacktivist group’s DDoS traffic was created using “a cluster of 61 paid servers hosted at IBM/Softlayer in Germany” and “routed through open proxies to hide the real origin of the attacks.”
The use of paid infrastructure shows the group obtains funding, but it does not prove the attacks are government-sponsored. “That the operation has been deliberately orchestrated by someone willing to pay for it, not a spontaneous activity by activists,” Truesec stated.
After the Truesec story, the Anonymous Sudan Telegram account called Marcus Murray a “Swedish idiot.” Afterward, the group announced it was using botnets and recommending them to its followers.
“If you think that patients have nothing to do with burning the Quran, then you are idiot,” the group’s Telegram account commented in response to Arabic posts denouncing hospital targeting.
The phrase “you are idiot” may suggest the author is not a native English speaker, but neither Arabic nor Russian use the indefinite article “an,” so the error does not suggest the group is based in Russia. Anonymous Sudan claimed to have attacked Scandinavian Airlines and SVT earlier this month.
Sandra Barouta Elvin, a Swedish national security officer at Microsoft, told the Swedish daily newspaper Aftonbladet that the responses to the Quran burning—both Russian media coverage and potentially paid-for “activist” responses—indicate that preparations had been made for retaliation before it occurred.
Conclusion
Anonymous On Sunday evening, Sudan’s DDoS attacks took down nine Danish hospitals’ websites. Despite hospital websites being down, Copenhagen’s health authority claimed that hospital care was unaffected by the attacks. “A couple of hours” later, the sites returned. “Far-right politician and anti-Islam provocateur” Rasmus Paludan is Danish-Swedish, according to The Guardian. The attacks were “related to Quran burnings” in Stockholm, according to Anonymous Sudan on Telegram.
“Most certainly formed as part of a Russian propaganda operation to undermine and complicate Sweden’s NATO application,” Truesec stated last week. Telegram’s “Anonymous Sudan” account’s Russian user location was discovered by Truesec’s threat intelligence research. “A cluster of 61 paid servers located at IBM/Softlayer in Germany” generated the hacktivist group’s DDoS traffic, which was “routed through open proxies to mask the real origin of the attacks.”