Since February, a mysterious hacker group calling itself Anonymous Sudan has targeted dozens of Swedish airports, hospitals and banks with distributed denial-of-service attacks, ostensibly in response to the burning of a Koran in front of the Turkish embassy in Stockholm earlier this year.
The so-called DDoS attacks, which push websites and services offline by overwhelming them with internet traffic, disrupted online programming at Sweden’s national public broadcaster and knocked out the websites of Scandinavian Airlines, state-owned power company Vattenfall, and defense firm Saab AB. Extensive media coverage has made the attacks — and Anonymous Sudan’s claims — a matter of public debate in Sweden.
The group behind this campaign claims to consist of hacktivists from the East African nation whose aim is to go after “anyone who opposes Islam.” But a closer inspection of Anonymous Sudan’s social media records — and data from the attacks — show that the group is neither Sudanese nor Islamist, according to Mattias Wåhlén, who led an investigation into the hacks for Truesec, one of Sweden’s biggest cybersecurity firms.
Instead, he said, Anonymous Sudan shows signs of being a well-organized unit of Russians with a nuanced knowledge of Swedish politics and social issues. Their apparent motivation is to craft attacks designed to amplify tensions with the country’s Muslim minority and pressure Turkey to stand firm in rejecting Sweden’s bid to join the North Atlantic Treaty Organization. If they were to succeed, it could make Sweden more vulnerable to future attacks.
Publicly available information on the group’s Telegram channel contained clues about its true origins, Wåhlén said. On its biography page, Anonymous Sudan listed its main language as Russian and its location as Russia, according to the Truesec report he authored. The group also aligned itself online with Killnet, a pro-Russia political hacking group that’s targeted organizations and countries opposed to the war in Ukraine. Furthermore, an official account belonging to the hacking collective Anonymous has denied any connection to the group, the report showed.
Another clue is that Anonymous Sudan appears to be well-funded. Instead of using networks of infected computers to launch attacks cheaply — the usual way hacktivist attacks are carried out — the group rented 61 servers in Germany from IBM Corp.’s SoftLayer division to conduct its operations, hiding them behind layers of anonymity, according to another Swedish cybersecurity firm, Baffin Bay Networks. Two weeks after the Anonymous Sudan attacks began, Baffin Bay said it worked with IBM to have the servers taken down.
“IBM works with industry partners and law enforcement agencies to identify and address malicious use of the IBM Cloud platform, as happened in this instance,” IBM said in a statement. “We appreciate Baffin Bay Networks’ partnership in this matter.”
Scandinavian Airlines did not return messages about its outages. SVT and Vattenfall confirmed their incidents. Saab declined to comment.
While Wåhlén and his team were unable to determine whether Anonymous Sudan consisted of Russian government employees or pro-Russia hackers working independently, Katarzyna Zysk, a professor of international relations at the Norwegian Institute for Defence Studies in Oslo, said the timing and organization of the attacks, the hackers’ knowledge of religious and political friction points in Sweden, and the attacks’ similarities to other Russian influence operations led her to conclude that the group was controlled or guided by Russia’s intelligence services.
“This strategy of creating chaos is one of the major means Russia has been using against Sweden” to complicate its NATO application, she said. “All these campaigns move in the same direction.”
Anonymous Sudan, for its part, has dismissed claims that it works on behalf of Russia. “We have nothing to do with Russia,” the group wrote on Telegram, after Truesec published a report in February outing the group. “We help them because they helped us before, and this is a way to give back.”
The Anonymous Sudan attacks demonstrate that suspected Russian hackers are finding new ways to meddle in the political processes of the country’s democratic opponents, according to Wåhlén and other security experts. As President Vladimir Putin’s war in Ukraine grinds into its second year, Russia’s hackers are growing increasingly active in advancing the country’s geopolitical interests, experts said.
Within just a few months, Anonymous Sudan has become one of the most prolific hacktivist groups on the internet and a vehicle for promoting a variety of Russian causes. While the group has launched attacks on countries including Denmark, France, Germany, India and Israel, experts believe its primary aim is to erode support for NATO expansion, which would strengthen northern Europe’s defense against Russian aggression.
After Russia invaded Ukraine last year, Sweden and close ally Finland abandoned their longstanding policy of abstaining from military alliances and decided to apply to join the organization together. All 30 existing members needed to agree, and from the beginning Turkey’s President Recep Tayyip Erdoğan said he wouldn’t support the move.
Erdoğan’s government has long been irked by the activities of a large and politically active Kurdish minority in Sweden, which includes individuals aligned with groups that Turkey considers terrorist.
Last June, Sweden, Finland and Turkey reached an agreement on measures to ensure a way forward. While Swedish leaders say they have since met all of Turkey’s requests, negotiations came to a halt in January after a far-right provocateur burned the Koran, which happened less than two weeks after Kurdish activists hung an effigy of Erdoğan from a lamppost near Stockholm’s City Hall.
The Koran burning occurred in a political context “that was already very sensitive,” said Diana Selck-Paulsson, a researcher with Orange Cyberdefense, a division of French telecom Orange S.A., in Malmö, Sweden. “And the cyber reaction of Anonymous Sudan, when looking at the timing and the pro-Russian character, feels quite calculated.”
To Wåhlén, who worked 35 years as an analyst in Sweden’s intelligence services before joining Truesec in 2020, the Russian hacking offensive “expertly exploited” political vulnerabilities — namely, Sweden’s need to be in “the good graces of Turkey” and the country’s struggles with assimilating thousands of Muslim refugees — “to make Sweden’s NATO campaign more difficult.”
According to SVT, Russian agents also took to the streets of European capitals in the wake of the Koran burning as part of an operation aimed at sowing discord between European nations and Turkey. Documents leaked to exiled Russian opposition activist Mikhail Khodorkovsky’s Dossier Center showed that Russia staged fake protests in cities such as Paris, where people claiming to be Ukrainians displayed anti-Turkish banners, burned a Turkish flag and posed for pictures with their arms raised in Nazi salutes.
While it’s impossible to know exactly how successful these Russian efforts have been, in April, Erdoğan instructed Turkey’s parliament to ratify Finland’s entry into NATO — leaving Sweden behind. Its prospects for joining the alliance remain uncertain.
Truesec was founded in 2005 by Marcus Murray, a former special operations ranger in the Swedish Navy, to protect Swedish organizations at a time when the biggest threats to computer networks were fast-spreading worms and viruses. But as hacking attacks evolved, Truesec grew in tandem, and the company now has 300 employees. Since Russia invaded Crimea in 2014, an act Stockholm denounced, experts say that the pace of cyberattacks, disinformation and military provocations emanating from Russia has increased dramatically. Russian operatives have used a variety of methods to try to manipulate public opinion in Sweden about Ukraine and a potential NATO bid, including publishing forgeries of Swedish government documents.
In the first week of May, as Sweden’s prime minister and other Nordic leaders met with Ukraine’s president in Finland to pledge continued support for Ukraine’s defense, a new round of attacks targeted Sweden’s police and tax agencies, as well as its financial supervisory authority. A pro-Russian group claimed responsibility for the attacks on social media.
“When we take measures, they regroup and return in new formations,” said the tax agency’s chief information officer, Peder Sjölander. “They are competent as well as persistent.”
While the cyber campaigns against Sweden still pale in comparison to those levelled at Ukraine and the Baltic states, Russian efforts to shape the international narrative about the Nordic country have become more obvious in recent years. Since the 2015 refugee crisis, which saw the country take in a large number of people fleeing war and poverty, Kremlin-controlled media outlets have sought to portray Sweden as a failing state rife with suburban riots, crime and terrorism in the wake of uncontrolled migration
“There were of course real problems,” said Mikael Tofvesson, operational head of the Swedish Psychological Defence Agency, which was established last year to counter influence operations targeting Sweden. “We did have a refugee crisis, and the Russians didn’t create the problems, but they amplified them,” he noted. “The general intent of the different narratives they were using was that you can’t trust the government.”