Two Sudanese men accused of being the brains behind the hacktivist group known as Anonymous Sudan have been arrested by the US government, leaving the once flourishing DDoS operation in shambles.
The US Department of Justice (DoJ) announced it has charged the two twenty-something Sudanese nationals with operating and controlling Anonymous Sudan’s “powerful DDoS tool,” which the FBI seized and disabled in early March.
Although security researchers have often claimed the international cybercriminal group was neither anonymous nor Sudanese, the unsealed federal indictment on Wednesday now proves otherwise.
Infamous for its relentless distributed denial-of-service attacks – that in 2023 took down Microsoft, the French government, SAS Airlines, UPS, Israel’s Prime Minister Benjamin Netanyahu, and the Mossad spy agency, for hours if not days on end (just to name a few) – Anonymous Sudan looks as if it has finally met its end.
The online threat actors are said to be responsible for tens of thousands of cyberattacks against critical infrastructure, corporate networks, and government agencies, including high-profile NATO targets, in the United States and around the world, as well as selling their DDoS services to other criminal actors.
The group’s seemingly random, intermittent attacks have resulted in reported network outages affecting thousands of customers worldwide, the DoJ said. Victims in the US alone have suffered more than $10 million in losses.
Anonymous Sudan had often claimed its attacks were in response to the US government's support of Ukraine, as well as US Secretary of State Antony Blinken's “interference” in Sudanese affairs, which last year included US sanctions against Sudan's military and other entities.
Anonymous Sudan is also known to support the work of other pro-Russian hacking groups, Killnet and Usersec – all well-known for their anti-Ukraine, anti-Israel, anti-Nato, and anti-Western doctrine.
“Anonymous Sudan sought to maximize havoc and destruction against governments and businesses around the world by perpetrating tens of thousands of cyberattacks,” said United States Attorney Martin Estrada.
“This group’s attacks were callous and brazen – the defendants went so far as to attack hospitals providing emergency and urgent care to patients,” Estrada said.
Operation PowerOFF
According to the DoJ, the two suspects, 22-year-old Ahmed Salah Yousif Omer and 27-year-old Alaa Salah Yusuuf Omer, face one count of conspiracy to damage protected computers, while the younger Salah faces three counts of damaging protected computers.
If convicted, Ahmed Salah could spend life in federal prison while Alaa Salah could be sentenced up to five years.
The Operation PowerOFF investigation, carried out in coordination through law enforcement and private sector partnerships, uncovered the group’s Distributed Cloud Attack Tool (DCAT) which it had been using since early 2023 to conduct its attacks.
In the past twelve months, officials say the Anonymous Sudan DCAT tool was used to launch over 35,000 DDoS attacks, which included targeting at least 70 computers in the greater Los Angeles area.
The group’s long list of targeted victims further includes the US Department of Justice, the US Department of Defense, the FBI, the US State Department, Cedars-Sinai Medical Center in Los Angeles, Riot Games, and government websites for the state of Alabama, the indictment revealed.
Anonymous Sudan servers and the DCAT tool – which has been called various names by the gang such as “Godzilla,” “Skynet,” and “InfraShutdown” – as well as accounts containing the tool’s source code, were seized as the result of FBI court-ordered warrants.
Akamai SIRT, Amazon Web Services, Cloudflare, Crowdstrike, DigitalOcean, Flashpoint, Google, Microsoft, PayPal, SpyCloud, and other private sector entities are said to have assisted the US government in the investigation.
Signature method of attack
Anonymous Sudan began making waves in the hacktivist world in January 2023. It favors the use of distributed denial-of-service attacks, or DDoS attacks, which overload a target’s website or server with thousands of traffic requests, knocking the services offline.
It's a fairly simple yet effective type of attack that can be executed from anywhere in the world using a network of automated bots. It can also be triggered by the threat actors at any time they choose.
Anonymous Sudan would often target its victims for a set period of time – typically in two-hour stints – to prove it had complete control over the target's website, though not causing any permanent damage.
For example, Anonymous Sudan’s DDoS attacks shuttered the emergency department at Cedars-Sinai Medical Center, causing incoming patients to be redirected to other medical facilities for approximately eight hours, the DoJ indictment said.
The group would commonly screenshot its alleged handi-work to show off on Telegram, using campaign hashtags and random emojis, sometimes publically taunting its victims, such as in the case with Microsoft Outlook and other Office services, in which the group intermittently attacked Microsoft's servers for nearly a week in June 2023.
"Think about it, if a company as big as Microsoft cannot defend itself from a small Sudanese group with very slow internet speeds, how can you ever trust such a company?" Anonymous Sudan posted to followers on Telegram during its attacks on the tech conglomerate.
At other times Anonymous Sudan would blast a target over the course of several months, even if only for their own amusement.
In another example, the group had relentlessly targeted Scandinavian Airlines (SAS) Airlines with intermittent outages for months starting in February 2023 over the burning of a Quran in Sweden that year.
The first attack on SAS was lauded as part of a coordinated Valentine's Day attack against the Swedes, while the second two-week long campaign launched that May came complete with a $10M ransom demand, all because Anonymous Sudan said it was "bored."
Leading up to the Microsoft attacks, which garnered worldwide attention for the group, Anonymous Sudan posted claims of successful attacks on US companies Lyft, Tinder, and several US hospitals, including Cedars.
Security experts had long suspected that Anonymous Sudan may ultimately have been a front for Russian-backed hackers.
“The FBI’s seizure of this powerful DDoS tool successfully disabled the attack platform that caused widespread damage and disruptions to critical infrastructure and networks around the world,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office, which led the investigation.
“With the FBI’s mix of unique authorities, capabilities, and partnerships, there is no limit to our reach when it comes to combating all forms of cybercrime and defending global cybersecurity,” Day said.
Your email address will not be published. Required fields are markedmarked