Advertisement

Two Sudanese brothers accused of launching a dangerous series of DDoS attacks

The pair allegedly tried to hack dozens of hospitals, digital services, government agencies and Israel’s missile alert system.

US Department of Justice/US District Court for the Central District of California

Newly unsealed grand jury documents revealed that two Sudanese nationals allegedly attempted to launch thousands of distributed denial of services (DDoS) attacks on systems across the world. The documents allege that these hacks aimed to cause serious financial and technical harm to government entities and companies and even physical harm in some cases.

The US Department of Justice (DoJ) unsealed charges against Ahmed Salah Yousif Omer and Alaa Salah Yusuuf Omer that resulted in federal grand jury indictments. The two are allegedly connected to more than 35,000 DDoS attacks against hundreds of organizations, websites and networks as part of a “hacktivism” scheme as part of the cybercrime group Anonymous Sudan and a for-profit cyberattack service.

Even though Anonymous Sudan claimed to be an activist group, the pair also held some companies and entity’s systems for ransom for rates as high as $1,700 per month.

Both face indictments for their role in the coordinated cyberattacks including one count each of conspiracy to damage protected computers. Ahmed also faces three additional counts of damaging protected computers and could receive a statutory maximum sentence of life in federal prison, according to court records filed last June in the US Central District Court of California.

The brothers’ activities date back to early 2023. The two used a distributed cloud attack tool (DCAT) referred to as “Skynet Botnet” in order to “conduct destructive DDoS attacks and publicly claim credit for them,” according to a DoJ statement. Ahmed posted a message on Anonymous Sudan’s Telegram channel, “The United States must be prepared, it will be a very big attack, like what we did in Israel, we will do in the United States ‘soon.’”

One of the indictments listed 145 “overt acts” on organizations and entities in the US, the European Union, Israel, Sudan and the United Arab Emirates (UAE). The Skynet Botnet attacks attempted to disrupt services and networks in airports, software networks and companies including Cloudflare, X, Paypal and Microsoft that caused outages for Outlook and OneDrive in June of last year. The attacks also targeted state and federal government agencies and websites including the Federal Bureau of Investigation (FBI), the Pentagon and the DoJ and even hospitals including one major attack on Cedars-Sinai Hospital in Los Angeles causing a slowdown of health care services as patients were diverted to other hospitals. The hospital attack led to the hacking charges against Ahmed that carry potential life sentences.

“3 hours+ and still holding,” Ahmed posted on Telegram in February, “they're trying desperately to fix it but to no avail Bomb our hospitals in Gaza, we shut down yours too, eye for eye...”

FBI special agents gathered evidence of the pair’s illegal activities including logs showing that they sold access to Skynet Botnet to more than 100 customers to carry out attacks against various victims who worked with investigators including Cloudflare, Crowdstrike, Digital Ocean, Google, PayPal and others.

Several Amazon Web Services (AWS) clients were among Anonymous Sudan’s victims as part of the hacking-for-hire scheme, according to court records and an AWS statement. AWS security teams worked with FBI cybercrime investigators to track the attacks back to “an array of cloud-based servers," many of which were based in the US. The discovery helped the FBI determine that the Skynet Botnet attacks were coming from a DCAT instead of a botnet that forwarded the DDoS to its victims through cloud-based servers and open proxy resolvers.

Perhaps the group’s most brazen and dangerous attack took place in April of 2023 that targeted Israel’s rocket alert system called Red Alert. The mobile app provides real time updates for missile attacks and security threats. The DDoS attacks attempted to infiltrate some of Red Alert’s Internet domains. Ahmed claimed responsibility for the Red Alert attacks on Telegram along with similar DDoS strikes on Israeli utilities and the Jerusalem Post news website.

“This group’s attacks were callous and brazen — the defendants went so far as to attack hospitals providing emergency and urgent care to patients,” US Attorney Martin Estrada said in a released statement. “My office is committed to safeguarding our nation’s infrastructure and the people who use it, and we will hold cyber criminals accountable for the grave harm they cause.”

Update, October 16, 7:25PM ET: This article was modified after publish to make clear that AWS clients, rather than AWS, were the target of Anonymous Sudan.