Anonymous Sudan, an apparent pro-Russian hacktivist persona, claimed a one-hour distributed denial of service attack on OnlyFans Wednesday, the latest in a string of operations aimed at targets in the U.S. and Europe.
The group’s digital assaults coincide with attacks coming from a broader network of hackers aligned with Moscow seeking attention from taking down high-profile victims and strategic targets, many that support Ukraine in its ongoing war against Russia.
Anonymous Sudan appears to be affiliated with Killnet, a pro-Russian hacktivist persona that emerged in late 2021 or early 2022 and has claimed DDoS attacks, data theft and leaks on perceived adversaries of the Russian government, according to an analysis from Google’s Mandiant released Thursday.
Many of Killnet’s early attacks gave the air of an operation thirsty for western media attention via claims of high-impact attacks on targets that were more flash than substance, including the March 2022 DDoS attack on a Connecticut airport and the July attack on the website for the U.S. Congress, which briefly affected public access.
Overtime, the Killnet network of affiliated personas has evolved to include a flurry of fronts responsible for DDoS attacks on more than 500 distinct victims, according to Mandiant. Anonymous Sudan, while only emerging online in January 2023, accounted for 63% of those attacks.
Anonymous Sudans’ successful disruption of some Microsoft web services in June, along with Killnet’s release of purported stolen NATO documents — released through a channel called “Killnet – F*** NATO” in April 2023 — demonstrate that the network is evolving from being solely a low-level DDoS effort yearning for attention.
Anonymous Sudan claimed another attack on Microsoft on Thursday, but CyberScoop could not independently verify whether one had occurred. A Microsoft representative said the company was aware of the claims and was investigating.
“While Mandiant cannot confirm collaboration or cooperation with Russian security services, KillNet’s targeting of victims consistently reflects the interests of the Russian state,” Mandiant concluded Thursday. “The collective’s apparent significant growth in capabilities, demonstrated by Microsoft’s confirmation that Anonymous Sudan was responsible for the outages they experienced, potentially indicates a significant increase in outside investment in the collective, further suggesting a potential tie to the Russian state.”
It’s not clear who is behind Anonymous Sudan, but it almost certainly is not part of the larger Anonymous collective and likely has nothing to do with the original Anonymous Sudan, according to a February 2023 analysis from Swedish cybersecurity firm Truesec.
The February analysis included a look at the group’s DDoS infrastructure, revealing that it used a cluster of 61 paid servers hosted at IBM/Softlayer in Germany, with traffic then routed through open proxies to disguise the true origin.
“The use of paid infrastructure strongly suggests that the operation is financed by someone with more money than a relatively new and previously unknown hacktivist group typically has available,” the Truesec report read. “The fact that the threat actor uses paid infrastructure doesn’t prove the attacks are government-sponsored, but it is additional evidence that the operation has been carefully organized by someone willing to pay for it, not a spontaneous action by activists.”
Truesec concluded that the “most likely explanation is instead that the new so-called ‘Anonymous Sudan’ is part of a Russian information operation” created to create fear in Sweden and possibly “strengthen a narrative that Russia is not isolated and create the illusion that there are online activists all over the world supporting Russia.”
The new iteration of Anonymous Sudan emerged on Telegram three days before far-right Swedish politician Rasmus Paludan burned a Quran in front of the Turkish embassy, Truesec noted. Turkish President Recep Tayyip Erdogan used the incident as an example of why Turkey would not support Sweden’s membership in NATO (a position he reversed in July). Two days after the burning, Anonymous Sudan declared attacks on Swedish targets, and overlapping attacks with the Killnet network began a few weeks after that, the company said.
OnlyFans was intermittently available mid-afternoon Wednesday and multiple accounts on Twitter began complaining that the site was down starting at about 2:30 p.m. Eastern Time in the U.S. A message posted to its Telegram channel announcing the attack just before 3 p.m. ET did not include a stated reason.
Neither OnlyFans or its parent company, Fenix International Limited, responded to a request for comment.
Updated, July 20, 2023: This story has been updated to include comment from a Microsoft representative.