Since Soros has exposed his desire for regime change in India, there has been increased activities of Anti-India forces. Then on 31st March US Congresswoman Ilhan Omar made unsubstantiated and instigating statement that there would be Muslim Genocide in India (refer Image 1). Her statement acted like a dog whistle to fanatics who want to take revenge based on assumptions. Anonymous Sudan is one such fanatic group.

Image 1

SOURCE: U.S Congressswoman Ilhan Omar's 'Muslim genocide in India soon' rant sparks fury | Hindustan Times

First trace of Anonymous Sudan was found at Twitter since August 2013. However, after posting at least 28 tweets, the twitter handle @OpSudan became inactive though it still exists. There were no major activities observed of this group between Aug 2013 to Jan 2023. The master hacktivist group “Anonymous Global” disowned the Anonymous Sudan group as not being hacktivist but clearly religious group. A Telegram channel AnonymousSudna_Bot was activated on 23rd Jan 2023. Since then, the hacker group has been attacking Israel, Sweden, France, Germany and Australia. The stated reason has been any issue related to Islam or Muslims such as burning of Quran in Sweden. In early days (Jan-Feb 2023) in the Telegram Channel Anonymous Sudan used Russian Language on several occasions and also claimed to be part of another pro-Russia hacker group KillNet. The hacker group KillNet never denied its relationship with Anonymous Sudan. It was perceived that real actual reason to attack the above-mentioned countries was their support to Ukraine in on going war between Ukraine-Russia.

However, on 07th April 2023 the religious fanatic hacker group Anonymous Sudan announced that from 8th April onward it will attack Indian targets because what India is doing to Muslims. At about 1445 hrs. IST they pinned the message on their Telegram group asking its followers to select the target between Hospitals and Airports (Refer Image 2).

Image 2

Source: Telegarm Channel AnonymousSudna_Bot and Twitter

Following may be observed from this screen shot

• There are 14,480 formal subscribers to this cyber terrorist channel

• At the time of Screen shot which is 1501 hrs on 08th April 2023 at least 2,763 people voted to select Indian targets (probably majority vote went to Airports)

• This message has been viewed at least 43,500 times.

• There were 15 comments at that time. Most comments were from independent hackers and small hacker groups from Pakistan, Bangladesh, Turkey, Malayasia and Indonesia (and of course some Mir Jeffers from India) who wanted to help and contribute to Anonymous Sudan. How many helped and who much help was taken is not known.

The first round of DDoS (Distributed Denial of Service) attack came at about 1530 Hrs on 08th April against Airports. The victim airport websites were Delhi, Mumbai, Hyderabad, Goa and Kochi. Also, Airport Authority of India website came under denial of services attack. Every website recovered almost immediately and some continued to be operational with limited bandwidth. According to CISO Mumbai International Airport, he took down the site himself at load was becoming heavy and he wanted to avoid any infiltration while DoS attack was in progress. The website became available to user after about 4 hrs of break. However, Kochi and Goa Airports website could return to normal only abound 1 AM on next day after support came in from NCIIPC and CERT-In.

CERT-In was caught unprepared and under long weekend mood, but once National Cyber Security Coordinator intervened things moved fast. NCIIPC got activated by 5 PM on 08th April.

On 09th April, several banks, AIIMS and Income tax sites came under DoS barrage. None was severely affected. Infact no user of Income Tax site faced any hindrance. SBI did face some issues, but its App stayed stable. Team Insane_pk a Pakistani group also tried to take advantage of the situation and attacked at least 10 major sites including of Govt of West Bengal. There was negligible impact of Pakistani efforts.

On 10th April Anonymous Sudan attempted to take down three Indian e-commerce company websites but failed miserably. Since then, at till writing of this report no further activities of Anonymous Sudan were observed but other religious fanatic group Team Herox made attempt to take down ANI news webiste. There has been little impact of such an attack. An Indian cyber terror group aligned with Team Herox has come into being recently under the name of Hamxa Herox.

Indicators of Compromise

Following Indicator of Compromise were detected by various researchers

101.167.152.76

101.167.152.90

109.235.139.13

213.61.253.152

213.61.253.250

213.61.254.11

213.61.254.36

217.110.80.14

138.68.190.172

172.104.154.229

38.242.195.61

64.90.48.215

5.189.159.215

176.31.182.123

87.251.67.9

NCIIPC published their own IOCs however it is not clear why Hash values are mentioned because there is no hash values in DDOS attacks. However, for the purpose of records these IOCs are given below:

IP- 109.235.139.13

Hash- 53e4130bfec4a6baa298f852e0c1a1aea8f5ebf0374dea5092f5635e16c617bf

IP -101.167.152.76

Hash- 73caa8180af10c2540539ba79be4de6e376990ed84157d6ff266a785b77b024c

IP - 213.61.253.152

Hash - 7a1b34f10c89573cf4de871a46c50f3997aa66aea317b012921803bd29b60bb4

IP- 213.61.253.250

Hash-a62960ded418136d191da755084b766ca0797ea794f5a041b98c7c4664c9a053

IP- 213.61.253.11.36.14

Hash - d86b9b0f52fe26b1f2d6347731760fa2b467a055153af4e731af52ff15558384

IP - 217.110.80.14

Hash – ca107a8dc3962b3abcf7e49c574cb4ef86ca6458966de36d3a2e2db541d897cf

(Instructions were to block both IP addresses as well as any object with the given hash value)

Tactics, Techniques and Procedures

TTPs used by Anonymous Sudan, according to CYE Insights are:

Defacement (T1491.001 – internal defacement, T1491.002 – external defacement) –

Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.1

Network Denial of Service (T1498.001 – Direct Network Flood, T1498.002 – Reflection Amplification) –

Network Denial of Service (DoS) attacks are used by adversaries to block or degrade the availability of targeted resources. Network DoS can be performed by exhausting the network bandwidth services rely on. Websites, email services, DNS, and web-based applications are examples of resources. Adversaries have been observed conducting network DoS attacks for political purposes and to support other malicious activities, including distraction hacktivism, and extortion.

Network DoS occurs when the bandwidth capacity of the network connection to a system is exhausted due to malicious traffic directed at the resource or to the network connections and network devices it relies upon. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).

To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.

It is possible for adversaries to use the original IP address of an attacking system or spoof it to make it more difficult to trace the attack traffic back to the attacker or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.

Somehow attack bandwidths were mild, some ISPs reported 150 –250 MBPS while in other cases it went up to 500 MBPS. These attack bandwidths are mild and cannot impact a well defended website. Probably that’s the reason why most websites survived the attack.

Lessons learnt and Recommendations

• According to the author following are the recommendations along with few lessons learnt.

• In cyber readiness there is nothing called weekends and long weekends.

• Firewalls and IPS must be tuned, logs continuously monitored and if any IP start sending excessive without reason, same should be blocked

• There is need for formal coordination between CISOs, CERT-In and NCIIPC. CERT-In and NCIIPC issued internal warnings while most of the users of cyberspace were unaware as to what are the guidance.

• At Kochi an FIR has been registered under Sections 43, 66, and 66F of the IT Act, which deals with computer damage, computer-related offences, and cyber-terrorism. However, Airports and Hospitals are Critical Infrastructures hence section 70 of the Information Technology Act should have been invoked.

• CERT-In or NCIIPC should be the complainant and CBI should register case under not only under Section 66 and 66F but also undersection 70 of Information Technology Act which deals with protected systems. The case under UA(P)A can also be made out. If no strict actions are initiated, then group like Hamxa Herox will get strengthened.

• Declare Anonymous Sudan as Cyber Terrorists organization

• All members of telegram group should be identified and marked. Those who commented to join Anonymous Sudan Cyber-attack should be tracked especially from within India. Rest should be marked for travel restrictions.

• One thing is very clear by attacks by Anonymous Sudan as well as Team Herox is that these attacks were mild in nature. It means that these attacks probably have alternate objective which could be:

• A. These attacks are diversionary tactics, actual attack is happening somewhere else in some other form while defending teams are focused on DDOS format.

• B. These attacks are used for fund raising by these hacker groups, where they are looking for fund support from religious bigot institutions and nation state. By these attacks they are trying to establish themselves for a specific cause and expect big donors to support them. Like Valuation of a company.

• Strengthen your WAF and keep an eye on logs.

• Stay in touch with your ISPs to try blocking attack at their level, if possible, CERT-In should coordinate.

• If you are using WAF as a service like Cloudflare then, please visit your contract to implement your SLAs.

• Agencies must identify all its members as they may cause potential mischief if not terror /cyber terror attack

• individuals are not impacted but their system may be used as bot to attack these sites. If you see high out bound traffic when you are not uploading anything, then most likely your system is a bot. How to check this? Right click on the task bar at bottom and click on Task Manager. And check bandwidth utilisation in the task manager. It should be commensurate with your utilisation + services.

• Hit back by joining hands with Israel and France.

• Establish national cyber-alerting system (Green, Yellow, Amber, Orange, Red) or something similar.

References:

Multiple websites, twitter handles, Telegram Channels and reports were used to prepare this report.

Special thanks to the Twitter Handle @FalconFeedsio, report by Truesec and cyesec.com

P.S.

At the time of writing of report at 2100 hrs on 12 April 2023 Hacktivist Indonesia, a religious hacktivist group is claiming to target 12000 websites of India.

The list released by the team includes both local and central government websites and private organisations. Link for attacked websites is at https://t.co/r1JYYkiHVx?ssr=true

It is still developing, keep a watch. I will add.