The U.S. Department of Justice has indicted two Sudanese nationals, Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, for their roles in operating Anonymous Sudan, a cybercriminal group responsible for launching numerous distributed denial of service (DDoS) attacks on various global institutions.
The group’s activities even targeted critical websites, including Kenya’s eCitizen platform.
Criminal Charges for Anonymous Sudan’s DDoS Attacks
Ahmed Salah faces charges of conspiracy and damaging protected computers, while Alaa Salah is charged with conspiracy to damage protected computers. If convicted, Ahmed could face life in prison, and Alaa could face up to five years in federal prison.
The indictment against the brothers details their control of Anonymous Sudan, an operation notorious for deploying DDoS attacks against government agencies, hospitals, and corporate networks worldwide. These attacks overwhelmed websites with massive requests, disrupting services for hours or even days.
U.S. Attorney Comments on Anonymous Sudan
U.S. Attorney Martin Estrada condemned the Anonymous Sudan DDoS attacks, stating, “This group’s attacks were callous and brazen — the defendants went so far as to attack hospitals providing emergency and urgent care to patients.”
Estrada further emphasized the group’s deliberate efforts to cause widespread damage, targeting both private and public sectors. Among the victims were high-profile institutions, including the Department of Justice (DOJ), the FBI, and the U.S. Department of Defense.
Impact of Anonymous Sudan’s Cyberattacks
Anonymous Sudan’s DDoS attacks significantly disrupted critical services, with the Justice Department noting that the attacks rendered websites inaccessible, causing financial and operational damages.
As earlier stated, the notorious group had taken responsibility for distributed denial of service (DDoS) attacks on various critical websites in Kenya.
Some of these websites include the eCitizen platform, a digital portal that serves as a centralized hub for accessing various government services and information, as well as Safaricom and Mpesa application services, and several digital banking systems.
The motive behind these attacks was linked to President William Ruto’s call for the deployment of peacekeepers to Sudan, a nation with a largely Muslim population, to intervene in the ongoing conflict between the Sudanese army and the paramilitary Rapid Support Forces (RFS).
Anonymous Sudan also claimed to be conducting cyber strikes in Africa on behalf of oppressed Muslims worldwide.
According to the DOJ, the Anonymous Sudan DDoS attacks caused over $10 million in damages to U.S. entities alone.
FBI Seizes Anonymous Sudan’s DDoS Tool “Godzilla”
In a March operation, the FBI disabled Anonymous Sudan’s Distributed Cloud Attack Tool (DCAT), also referred to as “Godzilla.” This tool was allegedly used to execute over 35,000 DDoS attacks, including 70 against systems in Los Angeles.
The FBI’s seizure of the servers behind these attacks was part of Operation PowerOFF, a broader initiative involving law enforcement and tech giants like Amazon, Cloudflare, and Microsoft. These companies played a critical role in the investigation, with Amazon helping to remove malicious infrastructure used by Anonymous Sudan.
Anonymous Sudan offered their DDoS attack services to criminal entities at a rate of $100 per day, $600 per week, or $1,700 per month. Researchers at Amazon reported that the group’s DDoS-for-hire model attracted numerous clients, including other criminal groups.
Amazon stated, “Criminal groups and other bad actors purchase services from groups like Anonymous Sudan to shut down websites or infrastructure systems.”
A Complex and Potent Attack Operation
Crowdstrike, another cybersecurity firm involved in the investigation, noted that Anonymous Sudan operated with sophisticated techniques, using rented high-bandwidth servers and custom-built attack infrastructure to bypass DDoS mitigation systems.
The firm highlighted the group’s ability to exploit vulnerable API endpoints, which allowed them to disrupt services effectively.
Crowdstrike also observed that Anonymous Sudan often collaborated with pro-Russian DDoS groups like Killnet and SiegedSec, leading some to speculate that the group was aligned with Russian interests. However, it appears that Anonymous Sudan acted independently, driven by financial motives.
The indictment and the broader investigation into Anonymous Sudan’s DDoS attacks showcase the growing threat posed by cybercriminal organizations and their ability to disrupt critical infrastructure with minimal resources.
