Why hackers in Kenya attack are being linked to Russia

Artificial Intelligence (AI) has completely changed the battleground for both cybercriminals and defenders. FILE PHOTO | POOL

The wave of cyber-attacks that befell Kenya slightly more than a month ago and threatened to ground the economy has made organisations reconsider their security architecture and structures.

Rapid digital evolution has seen a rise in the frequency and sophistication of cyberattacks globally, with emerging technology concepts such as artificial intelligence (AI), nanotechnology and blockchain poised to further accelerate the complexity and severity of cyber warfare.

But it is not just that. It is the struggle to unmask the threat actors behind the country’s recent protracted attacks that has fuelled the cyber safety debate.

At the time of the crisis, the attackers were only identified as ‘Anonymous Sudan’.

Who are ‘Anonymous Sudan’?

Pan-African cybersecurity consulting firm Serianu Limited says that ‘Anonymous Sudan’ is a code name for a threat actor that has been conducting denial of service (DDoS) attacks against multiple organisations, the most recent being in Kenya.

According to Serianu, the group, which claims to be ‘hacktivists’, is composed of politically motivated hackers from Sudan.

“Anonymous Sudan emerged in Sudan in response to the country’s ongoing political and economic challenges. In 2019, a popular uprising led to a military coup that ousted President Omar al-Bashir. Since then Anonymous Sudan has continued to be a vocal and active presence in the country’s political landscape,” writes Serianu in a cyber threats advisory to public and private organisations.

The Anonymous Sudan group has been seen to actively participate in attacks initiated by a Russian threat actor group identified as Killnet, and has voiced claims of being part of the Russian group.

Researchers from risk intelligence firm Flashpoint Intel point to the likelihood of Anonymous Sudan being a State-sponsored Russian actor masquerading as Sudanese actors with Islamist motivations.

“Despite obfuscations on official Anonymous Sudan channels as to their identity and affiliations, the employment of social media or public facing accounts under the “hacktivist” banner is consistent with previous tactics, techniques, and procedures employed by Russian State-sponsored adversaries,” says Flashpoint in a report.

What is a DDoS attack?

DDoS has emerged as the 'hacktivist’s go-to weapon of choice every time it seeks to deploy attacks on a victim’s infrastructure.

This form of cyber-attack is aimed at flooding a server with internet traffic to prevent users from accessing connected online services and sites.

It ends up disrupting a service or network rendering it inaccessible to its normal users.

During the attack on the government’s eCitizen portal slightly more than a month ago, ICT Cabinet Secretary (CS) Eliud Owalo confirmed that the hackers attempted to jam the portal through an overload of data requests, insisting that no personal data had been accessed or lost.

“They tried jamming the system by making more requests into the system than ordinary, which led to the slowing down of the system,” said Mr Owalo.

Serianu says that Anonymous Sudan uses a cluster of 61 paid servers hosted in Germany to generate the traffic volume required for a DDoS attack.

Anonymous Sudan’s activities and rating

The grouping first popped to the surface on January 18, 2023, claiming to be from Sudan but its Telegram registration denotes Russia.

Since then, it has been found to have raided multiple organisations in Sweden, India, the USA, Denmark and Israel with attacks before it landed in Kenya and most recently in Nigeria.

Some of the most popular hashtags associated with the group in online conversations include #AnonymousSudan, #Infinity Hackers Group, #KILLNET, #ANONYMOUS RUSSIA, #OpSweden and #OpSudan.

Modes of operation

According to Serianu, Anonymous Sudan operates by using a network of remote-controlled computers (botnet) to flood a targeted website with traffic, making the site inaccessible to users.

“Attacks originate from tens of thousands of unique source IP addresses with UDP traffic reaching up to 600Gbps and HTTPS request floods up to several million RPS,” notes Serianu.

The consultancy firm further opines that the hackers leverage cloud server infrastructure to generate traffic and attack floods while leveraging free and open proxy infrastructures to hide and randomise the source of the attacks.

“These attacks target application layer protocols with the intention of disrupting services and can go undetected by traditional defense systems,” says Serianu in the advisory paper.

“Some of the common techniques include request floods, application vulnerability exploitation, application-specific attacks such as XML-RPC floods, and zero-day vulnerability exploits.”

How to prevent DDoS attacks

Cybercrime experts recommend verifying Anti-DDoS configurations, and ensuring sites are protected on top of ascertaining that the established network operations centre has the capacity to monitor the internet service provider (ISP) lines for abnormal traffic.

Other measures include scanning the website frequently for potential security loopholes and ensuring that all the necessary updates are installed to prevent possible attacks.

PAYE Tax Calculator

Note: The results are not exact but very close to the actual.