The websites of nine hospitals in Denmark went offline on Sunday evening following distributed-denial-of-service (DDoS) attacks from a group calling itself Anonymous Sudan.
Copenhagen’s health authority said on Twitter that although the websites for the hospitals were down, medical care at the facilities was unaffected by the attacks. It later added the sites were back online after “a couple of hours.”
Anonymous Sudan claimed on Telegram the attacks were “due to Quran burnings,” a reference to an incident in Stockholm in which the holy book was set alight in front of the Turkish embassy by Rasmus Paludan, a dual Danish-Swedish national described as a “far-right politician and anti-Islam provocateur” by the Guardian.
The group is not an authentic part of the anonymous movement but “most likely created as part of a Russian information operation to harm and complicate Sweden’s NATO application,” according to a report published last week by Swedish cybersecurity company Truesec.
In its threat intelligence report, Truesec noted the “Anonymous Sudan” account on Telegram has its user location listed as Russia. Unusually for a hacktivist group, the group’s DDoS traffic was not generated by an illegal botnet but from “a cluster of 61 paid servers hosted at IBM/Softlayer in Germany,” said the report, with the traffic “routed through open proxies to disguise the real origin of the attacks.”
While the use of paid infrastructure suggests the group receives some kind of financing, it is not evidence that the attacks are government-sponsored. However, Truesec said it reveals “that the operation has been carefully organized by someone willing to pay for it, not a spontaneous action by activists.”
The servers were taken down following the Truesec report, prompting the Anonymous Sudan account on Telegram to rail against the company’s founder Marcus Murray as a “Swedish idiot.” The group later posted that it had started using botnets and would begin to recommend them to its followers.
In a response to messages in Arabic criticizing the targeting of hospitals, the group’s Telegram account wrote: “If you think that patients have nothing to do with burning the Quran, then you are idiot.”
While the grammatically incorrect use of the phrase “you are idiot” might suggest the author is not a native English speaker, neither Arabic nor Russian use the indefinite article “an,” so the error does not contribute to the assessment that the group is based in Russia.
Anonymous Sudan previously claimed to be behind an attack on Scandinavian Airlines earlier this month, as well as an attack on national public television broadcaster SVT.
Sandra Barouta Elvin, a national security officer at Microsoft in Sweden, told the Swedish daily newspaper Aftonbladet that the responses to the Quran burning — both in terms of the media-coverage given to the incident by Russian media, and the potentially paid-for “activist” responses — indicated that preparations had been made for a retaliation to the Quran burning before it took place.
Article Link: Danish hospitals hit by cyberattack from ‘Anonymous Sudan’ - The Record from Recorded Future News