Federal prosecutors in the U.S. have charged two Sudanese brothers with operating a DDoS-for-hire botnet responsible for carrying out a record 35,000 distributed denial-of-service (DDoS) attacks within a single year, including targeting Microsoft’s services in June 2023.
According to the U.S. Department of Justice (DoJ), the attacks were facilitated by Anonymous Sudan’s “powerful DDoS tool,” which was used to target critical infrastructure, corporate networks, and government agencies both in the U.S. and globally.
Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, have been indicted on one count of conspiracy to damage protected computers. Additionally, Ahmed Salah faces three counts of damaging protected computers. If convicted, Ahmed Salah could face a maximum life sentence in federal prison, while Alaa Salah could be sentenced to up to five years. The DDoS tool was reportedly disabled in March 2024, the same month the brothers were apprehended from an undisclosed location.
Cybersecurity
“Anonymous Sudan aimed to cause widespread destruction and chaos by launching tens of thousands of cyberattacks against governments and businesses worldwide,” said U.S. Attorney Martin Estrada. “The defendants even targeted hospitals providing critical emergency care to patients.”
Anonymous Sudan, tracked by Microsoft under the name Storm-1359, emerged in early 2023 and carried out attacks on organizations in Sweden, the Netherlands, Australia, and Germany. While the group claimed to be a hacktivist organization, the indictment reveals it was actually a for-hire digital mercenary group.
Crowdstrike noted that after briefly joining a pro-Russian hacktivist campaign, Anonymous Sudan carried out a series of DDoS attacks with apparent religious and nationalist motivations, particularly targeting Australian and Northern European entities. The group also actively participated in the annual #OpIsrael hacktivist campaign and collaborated with other groups like KillNet, SiegedSec, and the Türk Hack Team.
Court documents suggest that Anonymous Sudan and its clients used the group’s Distributed Cloud Attack Tool (DCAT) to execute thousands of DDoS attacks, boasting about their activities and causing over $10 million in damages to U.S. victims alone.
Amazon Web Services (AWS) indicated that DDoS services were offered to customers for $100 per day, $600 per week, or $1,700 per month, with the capability to launch up to 100 attacks daily.
Known under aliases like Godzilla, Skynet, and InfraShutdown in the criminal underground, the DCAT tool has been dismantled as part of a court-authorized operation. Authorities seized key components, including servers that initiated the attacks, relayed commands, and contained the source code for the DDoS tools used by the group.
The DoJ noted that this takedown was part of Operation PowerOFF, an international law enforcement effort aimed at dismantling DDoS-for-hire infrastructure and holding operators and users accountable.
In related news, Finland’s Customs office (Tulli) took down the Sipulitie darknet marketplace, a successor to Sipulimarket, which was shut down in 2020. The marketplace had been operational on the dark web since 2023, mainly facilitating the sale of drugs.
Meanwhile, Brazil’s Department of Federal Police (DPF) arrested a hacker connected to a series of cyberattacks, including breaches of its own systems and other international institutions. Dubbed Operation Data Breach, the investigation resulted in the arrest of a suspect in Belo Horizonte for allegedly leaking sensitive data from 80,000 members of InfraGard, a U.S. government partnership with critical infrastructure sectors. The hacker, known online as USDoD and EquationCorp, was also accused of selling data from the Federal Police, Airbus, and the U.S. Environmental Protection Agency (EPA).