Newly unsealed grand jury documents have disclosed allegations against two Sudanese nationals, suspected of attempting to carry out extensive distributed denial of service (DDoS) attacks on various systems worldwide. These documents suggest that the attacks were designed to inflict significant financial and technical damage to government organizations and companies, and in some instances, were intended to cause physical harm.
The US Department of Justice (DoJ) has brought charges against Ahmed Salah Yousif Omer and Alaa Salah Yusuuf Omer, leading to federal grand jury indictments. These individuals are accused of being involved in over 35,000 DDoS attacks targeting numerous organizations, websites, and networks as part of a "hacktivism" operation associated with the cybercrime group Anonymous Sudan and a profit-oriented cyberattack service.
Although Anonymous Sudan claimed to operate as an activist group, the accused allegedly held company systems hostage for ransom, demanding payments as high as $1,700 per month.
Both individuals face indictments for their roles in orchestrating these cyberattacks, including one count each of conspiracy to damage protected computers. Additionally, Ahmed is charged with three counts of damaging protected computers and could face a maximum statutory penalty of life imprisonment, based on court filings from June in the US Central District Court of California.
The illicit activities of the brothers reportedly began in early 2023, during which they employed a distributed cloud attack tool called the "Skynet Botnet" to conduct and claim responsibility for destructive DDoS attacks. Ahmed is reported to have posted a threatening message on Anonymous Sudan’s Telegram channel, warning of an imminent large-scale attack on the United States similar to previous attacks on Israel.
One of the indictments specifies 145 "overt acts" against organizations and entities in the United States, European Union, Israel, Sudan, and the United Arab Emirates. The Skynet Botnet attacks aimed to disrupt services in airports, software networks, and companies such as Cloudflare, X, PayPal, and Microsoft, resulting in outages for Outlook and OneDrive in June of the previous year. The attacks also targeted several state and federal government agencies, including the Federal Bureau of Investigation (FBI), the Pentagon, and the DoJ, as well as hospitals, notably causing service slowdowns at Cedars-Sinai Hospital in Los Angeles.
Ahmed reportedly boasted in February about the effectiveness of one attack on Telegram, declaring, "3 hours+ and still holding," and insinuating retaliation, "Bomb our hospitals in Gaza, we shut down yours too, eye for eye…"
FBI special agents gathered evidence of illegal activities, including logs showing that Skynet Botnet access was sold to more than 100 customers targeting various victims who cooperated with investigators. This included companies such as Cloudflare, Crowdstrike, Digital Ocean, Google, and PayPal, among others.
Court records indicate that clients of Amazon Web Services (AWS) also fell victim to Anonymous Sudan’s hacking-for-hire scheme. AWS security teams collaborated with FBI cybercrime investigators to trace the attacks to "an array of cloud-based servers," predominantly located in the US. This investigation revealed that the Skynet Botnet attacks were executed using a distributed cloud attack tool rather than a botnet that directed the DDoS attacks through cloud-based servers and open proxy resolvers.
Among the group’s most audacious attacks was an operation in April 2023 targeting Israel’s Red Alert rocket warning system, which provides real-time updates for missile threats. The attacks aimed to breach some of Red Alert’s internet domains. Ahmed reportedly claimed responsibility for these strikes on Telegram, along with similar DDoS attacks on Israeli utilities and the Jerusalem Post’s website.
US Attorney Martin Estrada emphasized the severity of these cybercrimes, stating, "This group’s attacks were callous and brazen — the defendants went so far as to attack hospitals providing emergency and urgent care to patients." He affirmed the commitment of his office to protecting vital national infrastructure and holding cybercriminals accountable for their damaging activities.
[Update, October 16, 7:25 PM ET]: The information in this article was revised post-publication to specify that AWS clients, rather than AWS itself, were the targets of Anonymous Sudan.
