Federal prosecutors in the US have charged two Sudanese brothers with running a distributed denial-of-service (DDoS) botnet for hire that carried out a record 35,000 DDoS attacks in one year, including those that focused on Microsoft services in June 2023.
Attacks facilitated by Anonymous Sudan’s “powerful DDoS tool” have targeted critical infrastructure, corporate networks and government agencies in the United States and around the world, the US Department of Justice (DoJ) said.
Ahmed Salah Yusuf Omer, 22, and Alaa Salah Yusuf Omer, 27, were charged with conspiracy to damage protected computers. Ahmed Salah is also charged with three counts of damaging protected computers.
If convicted on all charges, Ahmed Salah faces a maximum sentence in federal prison, while Alaa Salah faces a maximum sentence of up to five years in federal prison. The DDoS tool is said to have been disabled in March 2024, the same month that Steam arrested from an unknown country.
“Anonymous Sudan has sought to maximize the chaos and destruction of governments and businesses around the world by launching tens of thousands of cyberattacks,” said US Attorney Martin Estrada.
“The attacks by this group were callous and brazen – the accused went so far as to attack hospitals that provide emergency and immediate care to patients.”
Anonymous Sudan, tracked by Microsoft under the name Storm-1359, emerged in early 2023, organized by a number of Swedish, Dutch, Australian and German organizations. Despite claiming to be a hacktivist group, the indictments show that it was merely a front for what they were, a digital mercenary group.
“After initially joining a brief pro-Russian hacking campaign, Anonymous Sudan launched a series of DDoS attacks with apparent religious and Sudanese nationalist motivations, including campaigns against Australian and northern European organizations,” Crowdstrike said.
“The group was also a prominent participant in the annual #OpIsrael hacktivist campaign. Throughout these campaigns, Anonymous Sudan has also shown a willingness to cooperate with other hacktivist groups such as KillNet, SiegedSec and Türk Hack Team.”
Court documents allege that Anonymous Sudan actors and their clients used the group’s Distributed Cloud Attack Tool (DCAT) to launch thousands of devastating DDoS attacks and publicly claimed credit for them, causing more than $10 million in damages to victims in the US alone.
According to Amazon Web Services (AWS), DDoS services were offered to potential customers for $100 per day, $600 per week, and $1,700 per month. The service allegedly allowed up to 100 attacks each day.
The DCAT tool, sold in the criminal underground as Godzilla, Skynet and InfraShutdown, was dismantled in a court-ordered seizure of its key components, including servers used to launch DDoS attacks, servers that relayed attack commands to a wider network of attackers computers and accounts containing the source code of the DDoS tools used by the group.
“These actions of law enforcement agencies were carried out within the framework Operation PowerOFFthe continued coordinated efforts of international law enforcement agencies to dismantle the criminal DDoS-for-hire infrastructure around the world and bring to justice the administrators and users of these illegal services,” the Department of Justice said.
This came after Finnish Customs (aka Tulli) cracked down on darknet marketplace Sipulitie — the successor to Sipulimarket, which was taken down by law enforcement in 2020 — which specialized in drug sales and had been operating on the dark web since 2023.
“The website in Finnish and English was used for criminal purposes, such as selling drugs under the cover of anonymity,” Tuli said. said. “The site administrator stated on public forums that Sipulitie’s turnover was 1.3 million euros.”
Elsewhere, the Brazilian Federal Police Department (DPF) said it arrested a hacker in connection with a series of cyberattacks that compromised its own systems and those belonging to other international organizations.
The operation, code-named “Data Breach,” involved the execution of a search and seizure warrant and a preventive arrest warrant against a defendant in the city of Belo Horizonte on charges of leaking confidential data involving 80,000 members InfraGardjoint exercises of the US government and critical infrastructure sectors.
An unnamed man who went by names USDoD and EquationCorpwas also accused of selling data to the Federal Police twice, on May 22, 2020 and on February 22, 2022, as well as leaking data from Airbus and the US Environmental Protection Agency (EPA).
