Scandinavian Airlines (SAS) has been targeted with a ransomware attack which saw its customer facing website and app taken offline for over 24hrs.
The attack on Wednesday (24/05/23) is the second attack claimed in the name of a hacking group called Anonymous Sudan.
The 1st attack by the gang leaked customer data and caused chaos with passengers as they were logged into random accounts when attempting to access their flight data.
This random access allowed unauthorised users to access the names, addresses, partial credit card data and flight history of other users.
In this latest attack, which appears to have been a DDoS attack, the gang initially demanded a ransom of USD $3,500 but later upped the price to USD $175,000.
Rapid recovery
Although access to the affected systems caused annoyance to SAS passengers, the systems were brought back online after a little over 24hrs. It is unknown whether this is due to a ransom being paid, or just that SAS had a robust recovery & backup plan in place.
Who are Anonymous Sudan?
Anonymous Sudan is a hacker group based in Sudan that claims to engage in cyber-activism and hacking activities. The group is believed to be part of the larger Anonymous network – hence the name. The group uses the Anonymous #OP phrasings in their attacks – e.g. #OPIsrael which is an annual attack against Israeli government websites on the eve of Holocaust Remembrance Day.
The gang emerged in Sudan in response to the country’s ongoing political and economic challenges and uses traditional digital activism type attacks (hacking and DDoS attacks) on governments to draw attention to censorship and restriction on free speech.
During a multi-day campaign in March 2023, the group targeted medical facilities, universities, and airports in France as a retaliatory attack for the publication of a a cartoon depiction of the prophet Muhammad, allegedly referencing the controversial Charlie Hebdo caricatures.
During the same period, the group also leaked information from several airlines and payment providers, claiming they hacked the organisations and put up sensitive data for sale.
The group also targets Swedish organisations as a reaction to far-right activist, Rasmus Paludan, who holds both Danish and Swedish citizenship.
Paludan burned a copy of the Quran in Sweden on January 21, 2023, and vowed to continue burning the Muslim holy book in Denmark until Sweden is admitted into NATO.
KillNet
KillNet are an Anonymous-like online collective of hackers who are Pro-Russia and run attacks against those who oppose the Russian invasion of Ukraine.
Although KillNet’s ties to official Russian government organizations such as the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service (SVR) are unconfirmed, the group is considered a threat to critical infrastructure by a multi-national joint cybersecurity advisory.
KillNet is the most active of more than one hundred cyber mercenary groups spawned from the Russian-Ukraine proxy cyberwar. Their tactics are mainly DDoS attacks against critical infrastructure, airport websites, government services, and media companies within NATO countries, including the U.S., Canada, Australia, Italy, and Poland, as well as Ukrainian supporters in practically all Eastern European, Nordic, and Baltic countries.
KillNet Anonymous Sudan
Because of their common objectives regarding Sweden, Killnet announced the addition of Anonymous Sudan as an official member in its cluster of hacktivists targeting western nations and countries opposing Russia.
Is KillNet Anonymous Sudan the real Anonymous Sudan, or a Russian false flag?
There are allegations that Anonymous Sudan might be a Russian government false flag operation.
The characteristic features that distinguish the gang from other anonymous groups are listed below.
- They do not use hashtags such as #OPSweden in its campaigns, as other anonymous groups do, except for the recent #OpIsrail campaign
- The group is only active in Telegram, and does not use other social media like Twitter
- The group does not seek the support of other pro-Islamic groups
- There is no link in its campaigns on political issues related to Sudan
- The group only interacts with Russian hackers and has no relationship with other Islamic groups
- In most operations, it has been observed that they support Russian hacktivism with tags such as #infinity #killnet #anonymousrussia
- They use the website check-host.net, which is a website monitoring site (similar to isitdownrightnow.com) to check the availability of hosts and to check the status of attacked websites, this site is the one of choice for other Russian hacktivist groups, especially Killnet.
- The group insistently claims that Sudanese Hackers support Russian Hackers for their support of Sudan.
- Most of the gangs posts are in English and Russian, and just a few are in Arabic. Russia and Iran are in the first rank in the order of mention by countries. The user location for the Telegram channel is listed as Russia.
- During an interview with a Danish journalist, the leader of Anonymous Sudan was confirmed to be fluent in Arabic and Muslim.
At this stage it is unknown if Anonymous Sudan and KillNet Anonymous Sudan are one and the same, or that Russia is using Anonymous Sudan as another way to hit back at Western targets, or even that Anonymous Sudan is using Russian skills and accesses to further their own aims. It could be a bit of both.
What is known though is that the seedy underworld of hackers and ransomware gangs will use any tactic to target those they seek to harm.