October 17, 2024

The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. The younger brother is facing charges that could land him life in prison for allegedly seeking to kill people with his attacks.

Image: FBI

Active since at least January 2023, AnonSudan has been described in media reports as a “hacktivist” group motivated by ideological causes. But in a criminal complaint, the FBI said those high-profile cyberattacks were effectively commercials for the hackers’ DDoS-for-hire service, which they sold to paying customers for as little as $150 a day — with up to 100 attacks allowed per day — or $700 for an entire week.

The complaint says despite reports suggesting Anonymous Sudan might be state-sponsored Russian actors pretending to be Sudanese hackers with Islamist motivations, AnonSudan was led by two brothers in Sudan — Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27.

AnonSudan claimed credit for successful DDoS attacks on numerous U.S. companies, causing a multi-day outage for Microsoft’s cloud services in June 2023. The group hit PayPal the following month, followed by Twitter/X (Aug. 2023), and OpenAI (Nov. 2023). An indictment in the Central District of California notes the duo even swamped the websites of the FBI and the Department of State.

Prosecutors say Anonymous Sudan offered a “Limited Internet Shutdown Package,” which would enable customers to shut down internet service providers in specified countries for $500 (USD) an hour. The two men also allegedly extorted some of their victims for money in exchange for calling off DDoS attacks.

The government isn’t saying where the Omer brothers are being held, only that they were arrested in March 2024 and have been in custody since. A statement by the U.S. Department of Justice says the government also seized control of AnonSudan’s DDoS infrastructure and servers after the two were arrested in March.

AnonSudan accepted orders over the instant messaging service Telegram, and marketed its DDoS service by several names, including “Skynet,” “InfraShutdown,” and the “Godzilla botnet.” However, the DDoS machine the Omer brothers allegedly built was not made up of hacked devices — as is typical with DDoS botnets.

Instead, the government alleges Skynet was more like a “distributed cloud attack tool,” with a command and control (C2) server, and an entire fleet of cloud-based servers that forwards C2 instructions to an array of open proxy resolvers run by unaffiliated third parties, which then transmit the DDoS attack data to the victims.

Amazon was among many companies credited with helping the government in the investigation, and said AnonSudan launched its attacks by finding hosting companies that would rent them small armies of servers.

“Where their potential impact becomes really significant is when they then acquire access to thousands of other machines — typically misconfigured web servers — through which almost anyone can funnel attack traffic,” Amazon explained in a blog post. “This extra layer of machines usually hides the true source of an attack from the targets.”

The security firm CrowdStrike said the success of AnonSudan’s DDoS attacks stemmed from a combination of factors, including sophisticated techniques for bypassing DDoS mitigation services. Also, AnonSudan typically launched so-called “Layer 7” attacks that sought to overwhelm targeted “API endpoints” — the back end systems responsible for handling website requests — with bogus requests for data, leaving the target unable to serve legitimate visitors.

The Omer brothers were both charged with one count of conspiracy to damage protected computers. The younger brother — Ahmed Salah — was also charged with three counts of damaging protected computers.

A passport for Ahmed Salah Yousif Omer. Image: FBI.

If extradited to the United States, tried and convicted in a court of law, the older brother Alaa Salah would be facing a maximum of five years in prison. But prosecutors say Ahmed Salah could face life in prison for allegedly launching attacks that sought to kill people.

As Hamas fighters broke through the border fence and attacked Israel on Oct. 7, 2023, a wave of rockets was launched into Israel. At the same time, AnonSudan announced it was attacking the APIs that power Israel’s widely-used “red alert” mobile apps that warn residents about any incoming rocket attacks in their area.

In February 2024, AnonSudan launched a digital assault on the Cedars-Sinai Hospital in the Los Angeles area, an attack that caused emergency services and patients to be temporarily redirected to different hospitals.

The complaint alleges that in September 2023, AnonSudan began a week-long DDoS attack against the Internet infrastructure of Kenya, knocking offline government services, banks, universities and at least seven hospitals.


11 thoughts on “Sudanese Brothers Arrested in ‘AnonSudan’ Takedown

  1. Web Designer

    We experience occasional extreme slowness in responses from our shared hosting server. Our host says it is not our server or other clients on our shared hosting, but nothing has changed on our websites, and they are low volume. Is it possible these or other actors have found a misconfigured web server and are using it to launch attacks?

    Reply
    1. bigp

      only your web host could answer that, but worth checking your logs for unusual traffic.

      Reply
    2. dels

      i highly doubt that youre being attacked. if you’re on shared webhosting, there can be a number of more likely explanations. i would recommend you use something like cloudflare if you inspect the traffic even further.

      Reply
  2. Justicehans

    Sim swap millionaires (as a spoiled child of a millionaire) and steal hundreds of millions in cryptocurrency? Daddy’s close with the judge, they’re regulars at the same golf course, 3 years in prison at most.
    Extort the largest companies for millions, full business shutdown for weeks? It’s okay, you were just a teenager doing teenage things, just tell the doctor the voices told you to do it, take some medication, and you’re out in a year.
    DDoS paypal for a couple days as a foreign national? Take down the public websites of a few hospitals and companies in middle of nowhere Africa (no affect on day-to-day service)? Life in prison.

    Mitigating L7 DDoS attacks is extremely easy. All of the victims, especially the emergency ones, should be charged with negligence. How incompetent can you be to have your services pulverized by two script kiddies with a couple EC2 instances?

    Justice is terrible.

    Reply
    1. Fiat Iustitia

      bro is doing tricks on it
      These people are human filth and your sense of justice means nothing.

      Reply
  3. Risk Cognizance

    The United States consistently leads the effort in combating criminal elements. This article highlights the ongoing success in taking down these criminal networks. Criminals show no respect for individual lives, and it’s critical that organizations take cybersecurity seriously. Implementing robust security measures and compliance programs is essential to staying protected.

    Reply
    1. bruh

      Using chatgpt to write a program that reads Brian’s articles, then responds to them using…. chatgpt.

      Reply
  4. Tony

    Not to question your reporting but it sounds like they sold attacks for as little as $100 per day if you could buy a week for $700…

    Reply
  5. Brian Fiori (AKA The Dean)

    A couple of Khartoum characters, I see. Sorry. I’ll go away now.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *