US disrupts Anonymous Sudan DDoS operation, indicts 2 Sudanese brothers

The United States Department of Justice unsealed an indictment today against two Sudanese brothers suspected of being the operators of Anonymous Sudan, a notorious and dangerous hacktivist group known for conducting over 35,000 DDoS attacks in a year.

Since launching in 2023, Anonymous Sudan has been behind numerous high-profile DDoS attacks, causing widespread outages and the inability for users worldwide to access targeted services. Many of their attacks have been motivated by pro-Russian and pro-Palestinian causes from messages posted to their Telegram channels.

These attacks impacted well-known companies and services, including tech giants like Cloudflare, Microsoft, and OpenAI, with the threat actors capable of overloading services and making them inaccessible.

Other attacks targeted government agencies worldwide and healthcare, including Cedars-Sinai Hospital in Los Angeles, where the attack disrupted systems and caused emergency services and patients to be diverted to other hospitals.

Anonymous Sudan indicted

Today, the Department of Justice unsealed an indictment against two Sudanese nationals named Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, for operating and controlling Anonymous Sudan.

While the group claimed to be targeting countries and organizations interfering with Sudanese politics, some researchers believed that to be a false flag and linked the group to Russia instead.

U.S. Attorney Martin Estrada told reporters in a press call that Anonymous Sudan was considered the most dangerous cyber group in terms of DDoS attacks and that the brothers were motivated by a Sudanese nationalist ideology.

Estrada said the brothers have been in custody since March when Anonymous Sudan was disrupted and infrastructure seized, but would not share what country arrested the two. However, he did state that while they are not in US custody, they have been interviewed by the FBI.

“A federal grand jury indictment unsealed today charges two Sudanese nationals with operating and controlling Anonymous Sudan, an online cybercriminal group responsible for tens of thousands of Distributed Denial of Service (DDoS) attacks against critical infrastructure, corporate networks, and government agencies in the United States and around the world,” announced the DOJ.

“In March 2024, pursuant to court-authorized seizure warrants, the U.S. Attorney’s Office and FBI seized and disabled Anonymous Sudan’s powerful DDoS tool, which the group allegedly used to perform DDoS attacks, and sold as a service to other criminal actors.”

Unlike other groups that conduct DDoS attacks, Anonymous Sudan did not compromise devices to use as part of their attacks. Instead, they utilized tools called the Skynet Botnet or DCAT that used open proxies to overwhelm targeted servers.

“I have interviewed employees at Amazon who examined data associated with Skynet Botnet attacks against Amazon customers,” FBI Special Agent Elliott Peterson explained in the criminal complaint.

“They determined that the attacks were being transmitted not from compromised victim devices, as would ordinarily be the case with a botnet, but from devices that were configured to automatically forward certain categories of Internet traffic.”

“Also called “Open Proxy Resolvers,” these “auto-forwarding” devices comprise the public part of the Skynet Botnet, and they were often the only information a Skynet Botnet attack victim would see in their network data.”

Peterson, who has been investigating Anonymous Sudan since 2023, has also been involved in other disruptions of DDoS operations as part of Operation PowerOff.

The two suspects now face charges of conspiracy to damage protected computers, and Ahmed Omer is also charged with three counts of damaging protected computers.

Ahmed Omer also faces a statutory maximum sentence of life in federal prison for reckless endangerment of life for their attack on Cedars-Sinai Hospital, which Estrada said may be the first time this statute was charged in the US for a cyberattack.