Cybercrime , DDoS Protection , Fraud Management & Cybercrime

US Indicts Sudanese Brothers for Anonymous Sudan Attacks

FBI Disrupted DDoS Group in March
US Indicts Sudanese Brothers for Anonymous Sudan Attacks

Two Sudanese brothers are under criminal indictment in the United States for their role in distributed denial-of-service attacks launched against hundreds of targets under the moniker of Anonymous Sudan.

See Also: 2024 CISO Insights: Navigating the Cybersecurity Maelstrom

Federal prosecutors unsealed indictments against Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, who each face one count of conspiracy to damage protected computers.

Younger brother Ahmed Salah faces three additional counts of damaging protected computers. An FBI agent testified that Ahmed Salah was the real person behind the Anonymous Sudan persona of "WilfordCEO," who handled sales of its DDoS tool to private users.

Federal agents disclosed that they disrupted Anonymous Sudan in March. If convicted of all charges, Ahmed Salah could be imprisoned for life, while Alaa Salah would face a statutory maximum sentence of five years.

The indictments settle a long-standing mystery of whether the group truly operated from the east African country - or, as many suspected, was a façade for Russian state-aligned hacktivists (see: Expensive Proxies Underpin Anonymous Sudan DDoS Attacks).

"The group may share ideologies with, and sometimes appear to act in concert with, Killnet and similar hacktivist groups," FBI agent Elliott Peterson wrote in an affidavit - referring to pro-Kremlin, Russian-speaking DDoS groups that emerged around the time of Russia's February 2022 invasion of Ukraine. "My investigation to date has indicated that Anonymous Sudan is in fact led by Sudan-based individuals."

Among the group's targets was Cedars-Sinai Health Systems in Los Angeles in an attack lasting several days starting Feb. 16 that forced it to divert emergency patients for several hours. Anonymous Sudan also conducted weeks' worth of attacks in June 2023 against Microsoft that disrupted Azure and Microsoft 365 services. Employees of the computing giant told the FBI the attacks resulted in millions of dollars of losses (see: DDoS Attacks Culprit of Recent Azure, Microsoft 365 Outages).

The group emerged in January 2023 purportedly to carry out retaliation for a Quran-burning incident in Stockholm by a dual Danish-Swedish national far-right politician. Months later, a group member asserted: "We declare cyber war on the United States," calling the U.S. "our primary target."

The group said its attack on Cedars-Sinai was retaliation for Israeli fighting the Gaza strip, writing on Telegram, "Bomb our hospitals in Gaza, we shut down yours too, eye for eye."

Although it kept up a tempo of ideologically charged statements on its Telegram channels, the group also openly advertised financial motivations. It demanded $1 million from Microsoft to stop the DDoS attacks. In June 2023, it attempted to extort $3 million from Scandinavian Airlines to stop ongoing attacks.

Despite declaring "war" against the U.S., Anonymous Sudan targets were spread across the globe. In July 2023, it claimed responsibility for disrupting government services through DDoS attacks in Kenya in a protracted incident that also affected seven hospitals, the largest telecom company and a transport agency. In April, it took responsibility for disrupting an Israeli mobile app that provides real-time alert for missile attacks.

Major tech companies also have been targets, with the group causing an outage in August 2023 on social media platform X, formerly Twitter, posting on Telegram that owner Elon Musk should "Open Starlink in Sudan." In November, it disrupted OpenAI's ChatGPT service after an executive voiced militant support for Israeli forces in Gaza.

"From an outsider's perspective, it's not always clear how or why they chose targets," said Ian Gray, vice president of intelligence at Flashpoint, which has tracked Anonymous Sudan activities.

A July 2023 attack against PayPal helped lead to the Omer brothers' real identities. A company investigation identified accounts likely used by Anonymous Sudan actors, leading the FBI to obtain the email addresses associated with the accounts. The FBI said Ahmed Salah confessed to being WilfordCEO during a March 20 interview.

The group didn't use a traditional botnet composed of compromised routers or internet of things devices. Prosecutors said its tool - which went by the monikers of "Skynet," "Godzilla" and "InfraShutdown" - consisted of cloud-based servers that forwarded commands to an array of open proxy resolvers. Those resolvers can be used to create reflection attacks that amplify a small amount of internet traffic into an overwhelming load.

Highly public DDoS attacks may have served as advertising for a money-making proposition for the Omer brothers. FBI agent Peterson haggled with Ahmed Salah over the price of a week's worth of access to Skynet, testifying that Ahmed Salah as WilfordCEO initially wanted $700 but settled for $600 in cryptocurrency. The group's Telegram channel in February offered rates of $300 per day to launch up to 100 attacks of 2 terabytes. Another advertisement that month offered three weeks' worth of access for $2,000.

"Who wants our power that can down internet in entire countries today?" the group asked in a Telegram post.

Anonymous Sudan ultimately united disparate strands of cybercrime into a unique combination, Gray said. It adopted the iconography of Anonymous hacking collectives, but allied itself with Killnet. It waged ideological attacks, but offered targets the ability to buy their way out of its crosshairs. "Anonymous Sudan is a new class of cyber adversaries that's tough for us to put our finger on," he said.

Updated Oct. 16, 2024 23:36 UTC: This article has been updated throughout.


About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.