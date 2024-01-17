A hacktivist group calling itself Anonymous Sudan claimed credit last week for an apparently unsuccessful attack on the London Internet Exchange, or LINX, attributing the action to Britain\u2019s support of Israel. According to a tweet from OSINT research entity CyberKnow, LINX remained operational throughout, and the Anonymous Sudan group \u201cprovided less evidence than usual\u201d for its claims.\n\nThe group said the prompt for the attack were the recent airstrikes conducted against Iranian-backed Houthi rebels in Yemen, who have used drones and missiles to attack shipping off the coast of that country. \u201cWe expected this to be too good of an opportunity for [Anonymous] Sudan not to try and market themselves,\u201d CyberKnow wrote.\n\nWho is Anonymous Sudan?\n\nReports from cybersecurity companies indicate that Anonymous Sudan may not be purely an ideological anti-Zionist organization. One such report from Cloudflare said that the group has been linked to Killnet, a notorious pro-Russian hacking group. Anonymous Sudan has also been known to issue communications in Russian, and its attack infrastructure is suggestive that the group either originates from that country or is supported by its citizens. The US Department of Health and Human Services\u2019 Office of Information Security describes KillNet as a hacktivist group that has been actively performing DDoS attacks against Ukraine and countries that support it since January 2022.\n\n\u201cAlthough KillNet\u2019s ties to official Russian government organizations such as the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service (SVR) are unconfirmed, the group should be considered a threat to government and critical infrastructure organizations including healthcare,\u201d the OIS report said.\n\nThe confusing nature of Anonymous Sudan\u2019s roots \u2013 and the murky nature of the most recent attack \u2013 is not a surprise, according to experts, who said that the entire hacktivism movement is riddled with misinformation and misdirection. Frank Dickson, group vice president for security and trust at IDC, said that even validating the attribution of some hacktivist activity can be difficult.\n\nAttributing hacktivist attacks tough\n\n\u201cWhen you talk to the folks that are good at this, the first thing they\u2019ll tell you is that valid attribution is really tough,\u201d Dickson said. \u201cEspecially because DDoS is a volumetric attack. Could it have been this group? Sure. Could it have been anyone else? Absolutely.\u201d\n\nMoreover, according to Professor Stuart Masnick of MIT, DDoS and other types of attacks used in hacktivism (most notably wiper attacks, where compromised systems are simply cleansed of all their data) are a \u201cblunt weapon.\u201d They are often hard to track even with access to technical details about a given attack. \u201cIf you launch a missile, with the technologies and satellites we have today, we can pretty well tell where the missile was launched from,\u201d said Masnick. \u201cIf you launch a cyberattack, if you do a little bit of homework \u2026 no one knows where it came from.\u201d\n\nIn one case, Masnick recalled, a Russian cyber group compromised an Iranian facility and launched a cyberattack from there, meaning that the evidence pointed back to the Iranian government, not Russia. \u201cIf you think you know who the attack came from, most likely you\u2019re wrong,\u201d he said. \u201cBecause a really good attacker will leave all the evidence pointing in a different direction.\u201d\n\nFor the rank-and-file of businesses, staying secure means understanding their risk levels and maintaining a defense-in-depth. \u201cBecause hacktivism has its roots in not just protecting yourself from a [cybersecurity] perspective, but from a geopolitical perspective as well, the first thing just to be aware that someone is upset at you,\u201d said Dickson, noting that larger organizations, and those more intimately involved with national infrastructure, are more likely targets.\n\nDefense in depth key to limiting damage from hacktivism attacks\n\nMasnick said that many of the most damaging cyberattacks in recent years have been as severe as they were because of poor security architecture and misconfiguration \u2013 not necessarily due to the skill of the attackers. Defense in depth, ensuring that all systems are hardened against attack, is key to limiting the damage from one system being compromised.\n\n\u201cWe\u2019ve done a number of studies of relatively sizeable cyberattacks,\u201d he said. \u201cAnd the thing we found is that \u2026 in most cases, there\u2019s over a dozen things wrong,\u201d not just one or two.