Alleged Anonymous Sudan leaders charged, prolific gang’s tool disabled

A federal grand jury unsealed an indictment Wednesday against two Sudanese brothers allegedly behind Anonymous Sudan, a cybercriminal outfit responsible for tens of thousands of attacks designed to knock websites and services offline. Authorities also unsealed a criminal complaint and announced they had disabled the group’s powerful tool for conducting attacks.

Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, face charges of one count of conspiracy to damage protected computers, with Ahmed  facing three counts of damaging protected computers as well. The indictment says the conspiracy involved “knowingly and recklessly” attempting to cause serious bodily harm and death after an attack on a prominent Los Angeles hospital crippled its website and web services, forcing the Cedars-Sinai Medical Center to send emergency room patients elsewhere for several hours.

Companies that aided the Justice Department in their pursuit of the men said it was remarkable how effective they were able to be with one of the more common kinds of cyberattacks, distributed denial of service (DDoS), where the attackers overwhelm a server with traffic to bring it down.

“It is remarkable that just two individuals, with a relatively small investment of time and resources, were able to create and maintain a DDoS capability potent enough to disrupt major online services and websites,” CrowdStrike wrote in a blog post.

Tom Scholl, Amazon Web Services vice president and distinguished engineer, said the company’s security team was “a bit surprised about how brazen they were, and by the ease with which they were impacting high profile targets.”

More prominent victims besides the hospital include tech firms including Cloudflare, Microsoft, PayPal, X, and Yahoo, with the gang also claiming attacks against the DOJ, FBI, State Department, transportation and education infrastructure, and governments in other parts of the world.

Anonymous Sudan employs a tool that it markets as the Godzilla Botnet, Skynet Botnet or InfraShutdown, and sells its services to criminals. In total, it has been used in 35,000 attacks since the gang began operations at the beginning of 2023, according to the complaint.

The brothers have reportedly been in custody since March after they were arrested abroad in an unnamed country, when the U.S. Attorney’s Office of the Central District of California and the Justice Department also seized and disabled their DDoS tool. 

“Their motivations, while often masked under religious or Sudanese nationalist sentiments, were primarily driven by a desire for notoriety and attention,” CrowdStrike said. Scholl said the group’s big attacks were a form of marketing its services — complete with rate cards and contact information — to others.

Anonymous Sudan’s name, according to the complaint, is an ode to the brothers’ home country. Experts have often maintained that Anonymous Sudan was a front group for the pro-Russia hacktivist collective Killnet, but the complaint disputes that, although it notes the “the group may share ideologies with, and sometimes appears to act in concert with, Killnet and similar hacktivist groups.”

CrowdStrike said Anonymous Sudan’s “success stemmed from a combination of factors: a custom-built attack infrastructure hosted on rented servers with high bandwidth, sophisticated techniques for bypassing DDoS mitigation services, and the ability to quickly identify and exploit vulnerable API endpoints that, when overwhelmed with requests, would render services inoperable and disrupt user access.”