A group billing itself as “Anonymous Sudan” has popped up on the dark web with claims of 30 million Microsoft accounts available for sale for $50,000 via a Telegram bot. Much about the story is fishy, however, and Microsoft has flatly denied that a data breach has taken place.
Alleged data breach part of Anonymous Sudan campaign against Western targets
“Anonymous Sudan” popped up in early 2023, communicating in Arabic and claiming to be a hacktivist group retaliating against the US and allied nations for perceived wrongdoing in Sudan and in other parts of the Muslim world. Some security experts believe that it is a shell for Russian hackers, as it often promotes the mutual interests of and ties between Russia and Islamic nations.
Whatever the case, the group has been on a sustained campaign of distributed denial-of-service (DDoS) attacks mostly directed at major US and European companies. The group first made news in early February when it knocked out the Scandinavian Airlines website and mobile app for several hours, which it said was in retaliation for a January protest incident in which a copy of the Quran was burned in front of the Turkish embassy in Stockholm. The attackers did not appear to be aiming for a data breach, but one happened anyway as the Scandinavian Airlines network glitched out and began displaying passenger contact and flight information to the wrong parties.
This began a pattern that has held to present, with Anonymous Sudan conducting DDoS strikes against Western companies or government agencies perceived to have insulted or harmed Muslims. After attempting to extort $3 million from Air France in February, the group moved on to DDoS an assortment of Australian organizations in response to the debut of a clothing line that prominently featured the word “Allah” on garments. The group also targeted a string of UAE websites and banks in May, also returning for a second successful DDoS attack on Scandinavian Airlines.
Another emerging pattern for the group is to make grandiose claims in connection with these DDoS attacks that it has difficulty backing up. This happened in late April, when the group targeted Israeli Prime Minister Benjamin Netanyahu’s website along with an assortment of government sites. Several days later, Anonymous Sudan claimed that it had breached the country’s Iron Dome defense system and temporarily disabled it. Israel never confirmed this incident and there have been no known consequences from it.
The group has announced that it is formally aligned with pro-Russian “hacktivism” group Killnet; some security analysts believe that it is simply composed of Russian Killnet members posing as African Muslims. Killnet also mostly engages in DDoS attacks on public-facing websites, but has demonstrated data breach capability at times that would at least lend some credence to the claims about stolen Microsoft accounts. It has previously leaked stolen data from several organizations, including an April dump of NATO contact information. However, it has also muddied the waters here by claiming data breaches that it does not later provide any evidence of.
Anonymous Sudan announced on June 5 that it would be targeting Microsoft accounts, though there is still no firm evidence that it did anything but DDoS several of the company’s online products. The group’s Telegram channel claims that it accessed “a large database containing more than 30 million Microsoft accounts, emails, and passwords” and offers it for sale for $50,000, but provides no evidence to support the claim other than a sample of about 100 credential pairs that may have been obtained from an older data breach. Microsoft says that it has analyzed the sample and found it to be illegitimate, and has not seen any internal evidence of a data breach.
Investigation into Microsoft accounts theft remains ongoing, but initial indications are that it’s bogus
Anonymous Sudan has had recent success in temporary disruptions to a number of companies, with Microsoft’s own analysis finding that the group is likely employing multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure. But the group’s seeming desperation in its bids to extort money, first with its DDoS barrage on Air France and now with the phantom Microsoft accounts, speaks to operation by a group that does not enjoy nation-state financial backing and is not part of a large ransomware cartel.
Some answers (or at least clues) might be found in the history of Killnet, which security researchers believe started out as a DDoS-for-hire outfit that may have employed Russian nationalism as a publicity method to drum up business. The group has also since parlayed its notoriety into several other criminal for-profit efforts, such as a darknet marketplace for purchasing illegal drugs and an extortion service called “Black Listing.” Inter-group drama has also flared up, leading to an April conflict in which the former leader (a Belarusian teenager) was ultimately doxxed by other group members and arrested.
In addition to the DDoS campaign and claimed theft of Microsoft accounts, Anonymous Sudan has busied itself with a campaign of attacks against European banks as of late. In conjunction with Killnet, the group has also declared war on the SWIFT international banking system that Russian banks were cut off from in 2022 as a response to the invasion of Ukraine.
