US charges two Sudanese brothers over record 35,000 DDoS attacks

Federal prosecutors in the US have charged two Sudanese brothers with running a distributed denial of service (DDoS) botnet that carried out a record 35,000 DDoS attacks in a single year, including those that occurred in June 2023 targeted Microsoft’s services.

The attacks, enabled by Anonymous Sudan’s “powerful DDoS tool,” targeted critical infrastructure, corporate networks and government agencies in the United States and around the world, according to the U.S. Department of Justice (DoJ).

Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, were charged with one count of conspiracy to damage protected computers. Ahmed Salah was also charged with three counts of damaging protected computers.

If convicted on all counts, Ahmed Salah faces a statutory maximum sentence of life in federal prison, while Alaa Salah faces a maximum sentence of five years in federal prison. The DDoS tool was said to have been disabled in March 2024, the same month the couple from an unknown country were arrested.

“Anonymous Sudan sought to cause maximum devastation and destruction against governments and companies around the world through tens of thousands of cyberattacks,” said U.S. Attorney Martin Estrada.

“This group’s attacks were callous and brazen – the defendants even went so far as to attack hospitals that provide urgent and urgent care to patients.”

Anonymous Sudan, tracked by Microsoft under the name Storm-1359, emerged in early 2023 and organized a number of Swedish, Dutch, Australian and German organizations. Although it claimed it was a hacktivist group, the charges show it was simply a cover for what they really were: a digital mercenary force.

“After initially joining a brief pro-Russian hacktivist campaign, Anonymous Sudan carried out a series of DDoS attacks with apparent religious and Sudanese nationalist motives, including campaigns against Australian and northern European companies,” Crowdstrike said.

“The group was also a prominent participant in the annual hacktivist campaign #OpIsrael. During these campaigns, Anonymous Sudan also demonstrated a willingness to work with other hacktivist groups such as KillNet, SiegedSec and Türk Hack Team.”

Court documents allege that Anonymous Sudan actors and their customers used the group’s Distributed Cloud Attack Tool (DCAT) to launch and publicly claim thousands of destructive DDoS attacks, causing US victims alone $1,000 in damages added more than $10 million.

According to Amazon Web Services (AWS), DDoS services were offered to potential customers for $100 per day, $600 per week, and $1,700 per month. The service reportedly allowed up to 100 attacks per day.

The DCAT tool, marketed to the criminal underground as Godzilla, Skynet and InfraShutdown, was dismantled as part of a court-sanctioned seizure of its key components, including servers used to launch the DDoS attacks and which relayed attack commands to a broader network of attack computers and accounts containing the source code for the DDoS tools used by the group.

“These law enforcement actions were taken as part of Operation PowerOFF, an ongoing, coordinated effort by international law enforcement agencies to dismantle the criminal DDoS-for-hire infrastructure worldwide and hold the administrators and users of these illegal services accountable,” it said Justice Department said.

The development came as the Finnish Customs Office (also known as Tulli) disrupted the darknet marketplace Sipulitie – a successor to Sipulimarket, which was shut down by law enforcement in 2020 – which specialized in selling drugs and had been active on the darknet since 2023 .

“The website, in Finnish and English, was used for criminal purposes, such as selling drugs under the cover of anonymity,” Tulli said. “The website administrator has said in public forums that Sipulitie’s turnover was 1.3 million euros.”

Elsewhere, Brazil’s Department of Federal Police (DPF) said it had arrested a hacker in connection with a series of cyberattacks that breached its systems and the systems of other international institutions.

The operation, codenamed Operation Data Breach, involved the execution of a search and seizure warrant and a preventive arrest warrant against the defendant in the city of Belo Horizonte on charges of disclosing sensitive data relating to 80,000 members of InfraGard, a joint US effort -Government and critical infrastructure sectors.

The unnamed individual, who went by the names USDoD and EquationCorp, was also accused of selling federal law enforcement data twice, on May 22, 2020 and February 22, 2022, as well as leaking data from Airbus and the U.S. Environmental Protection Agency ( EPA).