Sudan’s Cyber War

Beneath the visible, physical fighting, another war is raging online.

In April 2023, conflict erupted again in Sudan, pitting the Sudanese armed forces against the Rapid Support Forces, RSF, a paramilitary group that is loyal to the deputy head of Sudan’s ruling council. By April 17, three days after things first escalated in Khartoum, more than 180 people had died, 1,800 were injured, and at the moment, many more have been forced to move, some to hostile regions.

Most of the coverage of the conflict has focused almost exclusively on physical combat — necessarily so — but in addition to conventional military tactics, there’s an equally messy, more subtle, war in Sudan’s cyber and information space, one that was going on long before April.

SPYWARE, SURVEILLANCE, CENSORSHIP

Days after conflict sparked in Sudan, the Greek opposition party called out the ruling party for exporting Predator spyware to the country. The Greek government admitted a few days later that they indeed gave an export license for the Predator spyware to Sudan. It coincided and concluded all doubts from investigations last December which reported a plane linked to Cytrox — which created the Predator spyware — landing in Khartoum and delivering the software to top members of the RSF. The RSF had, of course, denied this news back then. It’s not hard to guess how surveillance tech attained by a paramilitary group with records of war crimes and human abuse was used, but it’s harder to pinpoint what role this might have played in brewing the ongoing conflict, and how it might still be contributing to it now.

Sudan has a history of surveillance, censorship, and information manipulation. The government frequently blocks social media platforms and other websites to suppress dissent, and the opposition, RSF, has been reported to carry out strategic attacks that cut off the internet and telecommunication.

In 2013, during the rule of the now-deposed Hassan Ahmad al-Bashir, the government opaquely passed laws that allowed the military to charge ordinary people and journalists under ambiguous charges of spreading false information.

In 2014, the website of the online news outlet Nuba Reports, which reported extensively on the war and conflict, was targeted with Distributed Denial of Service (DDoS) attacks. In 2016, the El Tareegwas newspaper also faced the same. DD0S cyberattacks are a type of attack that shut down communication systems — mostly websites — by swarming them with overwhelming requests. The cyber jihadist unit, a pro-government digital surveillance unit was also known to spy on online conversations.

In 2013, former President Omar al-Bashir — who had been in power since 1989 — quenched protests against rising fuel prices by cutting off the internet. In 2019, as nationwide protests calling for the removal of al-Bashir gathered steam, the government responded by shutting down social media platforms in the country, making it difficult for protesters to organize. After the coup that ousted al-Bashir in 2019, the military council also shut down the country’s internet as dissent started growing across the country.

Sudan has also struggled significantly with organized disinformation. In 2019, also during the protests that called for al-Bashir’s removal, the government partnered with the Wagner group to deploy propaganda and disinformation, among other things.

After the fall of al-Bashir, the new government and its opposition carried on the legacy of cyberattacks and information warfare. The government actively blocks websites, news coverage, social media, and sometimes the entire internet. Against this backdrop, cyberattacks and disinformation are also a common tactic for opposition groups and other actors seeking to challenge the government, the acquirement of the Predator spyware is one such example. In 2019, the RSF also organized an influence campaign to whitewash the reputation of its leaders. Opposition groups have focused on attempts to disrupt communications, steal sensitive information by purchasing spyware, and manipulate conversations online.

“Cyber warfare transcends the hard timing of the actual conflict.”

Since the ongoing conflict started, an account claiming to be the RSF paid for a blue check and falsely tweeted the death of the leader of the RSF, Mohamed Hamdan Dagalo (commonly referred to as “Hemedti”) which got almost a million views before the tweet was taken down.

Researchers at Atlantic Council’s Digital Forensic Research Lab have also recorded “suspicious” inorganic traffic and engagements around content produced by the RSF account and that of its leader. The internet has also been unstable over the past weeks as the conflict rages.

RESISTANCE AND THE MEDIA

In the face of this context, Sudan has a resilient press and media industry. There is a complex, complicated, and often fraught relationship between Sudan’s government, the media, and its citizens, however, when it comes to the internet and digital communication. In delicate governance systems like Sudan’s, disinformation can have a deadly price, but the government has abused the need to protect the information ecosystem by using it as an excuse to clamp down on the free press.

“There’s a habit of not paying attention to the cyberwarfare of conflicts until months after the physical conflict,” said Nate Allen, the cyber-operations lead of the Africa Center for Strategic Studies. “And cyber warfare also transcends the hard timing of the actual conflict.”

Allen draws a parallel with Russia’s invasion of Ukraine where cyberattacks and disinformation campaigns had occurred far before the actual invasion, and the use of internet blackouts in Ethiopia to prevent communication and cut off the international community.

THE CONSEQUENCES OF CYBER ATTACKS

Often, like in physical combat, ordinary citizens suffer the effects of cyberwarfare more than the conflicting parties. They are shut off from communicating with their communities and loved ones in moments when it’s needed most. They’re also the primary targets of mostly paranoid surveillance.

“The potential consequences of cyber-attacks in Sudan are significant. Not only could they further destabilize the already tenuous security situation in the country, but they could also contribute to the escalation of violence and prolong the conflict,” said Allen.

Sudan has a relatively weak cybersecurity infrastructure compared to other countries, which makes it more vulnerable to cyberattacks. This could make it easier for hackers to exploit vulnerabilities in government or opposition systems.

There is also a risk that foreign governments or other actors could attempt to interfere in Sudan’s conflict by carrying out cyberattacks or spreading disinformation online. This could further complicate the situation and prolong the conflict. Already, the UAE has targeted the country with influence campaigns and the RSF is known for its ties with the Russian Wagner group.

Tangentially, Anonymous Sudan is a notorious hacking group claiming to be Sudanese that researchers suspect is part of a Russian information campaign. This group has recently carried religiously-motivated attacks in Israel, against a backdrop of similar attacks in Sweden, Denmark, and France. This same group, however, isn’t saying or doing anything concerning the conflict in Sudan. Borders and locales, identities, and true motives are murky in the cyber sphere and can be easily exploited by foreign entities.

As the world watches the situation in Sudan closely, it’s clear that the battle for control of the digital sphere has become an increasingly important part of modern conflict. Whether the government or opposition groups will gain the upper hand in this new front remains to be seen, but one thing is certain: the use of cyber warfare in Sudan’s latest conflict is a worrying development that could have far-reaching consequences.