Getty Images/Tetra images RF
DOJ charges alleged Anonymous Sudan ringleaders
Two Sudanese brothers are accused of leading the cybercriminal group that caused significant damage to healthcare organizations as well as other high-profile victims.
The U.S. Department of Justice indicted two Sudanese brothers allegedly behind Anonymous Sudan, a cybercriminal group known for conducting powerful DDoS attacks against governments, healthcare organizations and critical infrastructure.
On Wednesday, the DOJ unsealed the indictment against 22-year-old Ahmed Salah Yousif Omer and 27-year-old Alaa Salah Yusuuf Omer, which included conspiracy to damage protected computer charges. The brothers are accused of running Anonymous Sudan, a cybercriminal group the DOJ says is responsible for "tens of thousands" of DDoS attacks against hospitals, companies and government agencies, including the DOJ and FBI.
Since emerging in 2023, the DOJ said Anonymous Sudan has launched more than 35,000 DDoS attacks. However, in March, authorities seized and disabled the Distributed Cloud attack tool the group used for attacks and allegedly sold as a service to other cybercriminals.
Anonymous Sudan victims range in sectors from critical infrastructure and government to major U.S. technology companies like Microsoft and Riot Games. Additional victim organizations include Hulu, CNN and Netflix.
"Anonymous Sudan's DDoS attacks, which at times lasted several days, caused damage to the victims' websites and networks, often rendering them inaccessible or inoperable, resulting in significant damages," DOJ wrote in the press release. "For example, Anonymous Sudan's DDoS attacks shuttered the emergency department at Cedars-Sinai Medical Center, causing incoming patients to be redirected to other medical facilities for approximately eight hours. Anonymous Sudan's attacks have caused more than $10 million in damages to U.S. victims."
The unsealed indictment expanded on the attack against L.A.-based Cedars-Sinai and attributed it to Ahmed Salah Yousif Omer. The indictment stated it affected patient medical examination, diagnosis, treatment and care. It accused Omer of "attempting to cause and knowingly and recklessly causing serious bodily injury or death."
Anonymous Sudan used Telegram, a cloud-based messaging and social media app, to publicly claim responsibility. The DOJ found a Telegram message where Omer allegedly claimed responsibility for any damage to Cedar-Sinai as well as "collateral damage."
Anonymous Sudan frequently used Telegram to post information on attacks as well as their DDoS tools and pricing. The DOJ said the some of the group's Telegram channels grew to include as many as 80,000 subscribers.
Telegram's founder and CEO Pavel Durov was recently arrested in France for allegedly facilitating cybercrime activities on the platform. The charges allege the platform was used for an array of illicit activities, including drug trafficking, money laundering, and the sale of malware and stolen data. Many cybercriminal groups use Telegram to promote their attacks, sell tools and services, and boost their reputations.
If convicted, Ahmed Salah faces a maximum life sentence and Alaa Salah faces a maximum five-year sentence.
'Anonymous Sudan is done'
CrowdStrike published a blog post on Tuesday stating it worked with the government agencies to disrupt Anonymous Sudan. The security vendor said the group was "unusual in nature" because it appeared to have political motivations while also targeting large technology companies. CrowdStrike also highlighted how the group sought attention, held religious stances and established alliances with Russian hacktivist groups.
Based on the unsealed indictment, CrowdStrike attributed a "desire for notoriety and attention" as the group's primary motives. CrowdStrike noted how frequently Anonymous Sudan used Telegram to interact with followers, respond to comments and share news articles on recent attacks.
"It is remarkable that just two individuals, with a relatively small investment of time and resources, were able to create and maintain a DDoS capability potent enough to disrupt major online services and websites," CrowdStrike wrote in the blog post. "Their success stemmed from a combination of factors: a custom-built attack infrastructure hosted on rented servers with high bandwidth, sophisticated techniques for bypassing DDoS mitigation services, and the ability to quickly identify and exploit vulnerable API endpoints that, when overwhelmed with requests, would render services inoperable and disrupt user access."
AWS also assisted law enforcement efforts against Anonymous Sudan, specifically with tracking and identifying the group's actual hosting infrastructure, which was hidden behind proxy servers or "proxy drivers." In a blog post on Wednesday, AWS referred to the group as "digital mercenaries" rather than hacktivists. "Anonymous Sudan offered DDoS attacks for $100 per day, $600 per week, and $1,700 per month, and it had plenty of customers," the cloud giant wrote.
Alexander Leslie, associate threat intelligence analyst at Recorded Future, said Anonymous Sudan has been inoperative since March following disruption actions by law enforcement. Leslie told TechTarget Editorial that all the group's social media accounts and messaging channels have been closed. As a result of the law enforcement actions, Leslie said the group lost its primary operators and leadership.
"Anonymous Sudan was a small group of operators that cannot properly function without those arrested," Leslie said. "We will likely observe short-term retaliatory action from other hacktivist groups aligned with Anonymous Sudan as well as former Anonymous Sudan collaborators scattering elsewhere. We may also see opportunistic actors attempt to impersonate the Anonymous Sudan brand to attract attention. I expect this activity to be limited in scope and scale, resulting in few noticeable impacts. As far as I'm concerned, Anonymous Sudan is done."
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.