Federal prosecutors in the U.S. have charged two Sudanese brothers with running a distributed denial-of-service (DDoS) botnet for hire that conducted a record 35,000 DDoS attacks in a single year, including those that targeted Microsoft's services in June 2023.

The attacks, which were facilitated by Anonymous Sudan's "powerful DDoS tool," singled out critical infrastructure, corporate networks, and government agencies in the United States and around the world, the U.S. Department of Justice (DoJ) said.

Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, have been charged with one count of conspiracy to damage protected computers. Ahmed Salah has also been charged with three counts of damaging protected computers.

If convicted on all charges, Ahmed Salah faces a statutory maximum sentence of life in federal prison, while Alaa Salah faces a maximum sentence of five years in federal prison. The DDoS tool is said to have been disabled in March 2024, the same month the pair were arrested from an unknown country.

Cybersecurity

"Anonymous Sudan sought to maximize havoc and destruction against governments and businesses around the world by perpetrating tens of thousands of cyberattacks," said U.S. attorney Martin Estrada.

"This group's attacks were callous and brazen—the defendants went so far as to attack hospitals providing emergency and urgent care to patients."

Anonymous Sudan, which is tracked by Microsoft under the name Storm-1359, emerged at the start of 2023, orchestrating a series of Swedish, Dutch, Australian, and German organizations. While it claimed to be a hacktivist group, the indictments show that it was just a front for what they really were, a digital mercenary crew.

"After initially joining a brief pro-Russian hacktivist campaign, Anonymous Sudan conducted a series of DDoS attacks with apparent religious and Sudanese nationalist motivations, including campaigns against Australian and Northern European entities," Crowdstrike said.

"The group was also a prominent participant in the annual #OpIsrael hacktivist campaign. Throughout these campaigns, Anonymous Sudan also demonstrated a willingness to collaborate with other hacktivist groups like KillNet, SiegedSec and Türk Hack Team."

Court documents allege that the Anonymous Sudan actors and their customers used the group's Distributed Cloud Attack Tool (DCAT) to conduct thousands of destructive DDoS attacks and publicly claim credit for them, causing more than $10 million in damages to U.S. victims alone.

According to Amazon Web Services (AWS), DDoS services were offered to prospective customers for $100 per day, $600 per week, and $1,700 per month. The service allegedly permitted up to 100 attacks each day.

The DCAT tool, marketed in the criminal underground as Godzilla, Skynet, and InfraShutdown, has been dismantled as part of a court-authorized seizure of its key components, including servers that were used to launch the DDoS attacks, servers that relayed attack commands to a broader network of attack computers, and accounts containing the source code for the DDoS tools used by the group.

"These law enforcement actions were taken as part of Operation PowerOFF, an ongoing, coordinated effort among international law enforcement agencies aimed at dismantling criminal DDoS-for-hire infrastructure worldwide, and holding accountable the administrators and users of these illegal services," the DoJ said.

The development comes as the Finnish Customs office (aka Tulli) disrupted the Sipulitie darknet marketplace — a successor to Sipulimarket that was taken down by law enforcement in 2020 – which specialized in the sale of drugs and had been operational on the dark web since 2023.

Cybersecurity

"The website in Finnish and English was used for criminal purposes, such as selling drugs under the cover of anonymity," Tulli said. "The website administrator has said on public forums that Sipulitie's turnover was 1.3 million euros."

Elsewhere, Brazil's Department of Federal Police (DPF) said it arrested a hacker in connection with a series of cyber attacks that breached its own systems and those belonging to other international institutions.

Codenamed Operation Data Breach, the effort saw the execution of a search and seizure warrant and a preventive arrest warrant against the defendant in the city of Belo Horizonte over allegations of leaking sensitive data associated with 80,000 members of InfraGard, a collaborative exercise between the U.S. government and critical infrastructure sectors.

The unnamed individual, who went by the names USDoD and EquationCorp, has also been accused of selling data from the Federal Police twice, on May 22, 2020 and February 22, 2022, as well as leaking data from Airbus and the U.S. Environmental Protection Agency (EPA).

Update

Web infrastructure company Cloudflare, which is tracking Anonymous Sudan under the name LameDuck, said the threat group developed and managed a DDoS attack tool called Skynet Botnet that allowed it to conduct more than 35,000 attacks in the span of a year.

"LameDuck gained notoriety by amplifying their successful attacks against widely recognized organizations via social media, while also offering DDoS-for-hire services," it said in a report published on October 31, 2024. "Their operations have included not only successful large-scale DDoS attacks, but also DDoS extortion or ransom DDoS."


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.