Newly unsealed grand jury documents have disclosed allegations that two Sudanese nationals attempted to carry out thousands of distributed denial of service (DDoS) attacks on systems globally. The documents suggest that these cyber activities were intended to inflict significant financial and technical damage on government bodies and companies, and in some instances, even physical harm.
The U.S. Department of Justice (DoJ) has unsealed charges against Ahmed Salah Yousif Omer and Alaa Salah Yusuuf Omer, resulting in federal grand jury indictments. The two individuals are allegedly responsible for more than 35,000 DDoS attacks against numerous organizations, websites, and networks as part of a “hacktivism” agenda linked to the cybercrime group Anonymous Sudan and a for-profit cyberattack service.
Despite Anonymous Sudan’s claims of being an activist group, the two individuals reportedly extorted some companies and entities by demanding ransoms of up to $1,700 per month.
The indicted individuals face charges for their involvement in these coordinated cyberattacks, including one count each of conspiracy to damage protected computers. Ahmed faces three additional counts of damaging protected computers and could face a statutory maximum sentence of life in federal prison, according to court records filed in the U.S. Central District Court of California in June.
The activities of the two individuals reportedly began in early 2023. The duo used a distributed cloud attack tool (DCAT) called “Skynet Botnet” to carry out destructive DDoS attacks and publicly took credit for them, as per a DoJ statement. Ahmed allegedly posted on Anonymous Sudan’s Telegram channel, warning of a significant attack on the United States, akin to a previous one on Israel.
Among those listed in the indictments, 145 “overt acts” targeted entities in the U.S., the European Union, Israel, Sudan, and the United Arab Emirates (UAE). The Skynet Botnet attacks aimed to disrupt airports, software networks, and companies, including Cloudflare, X, PayPal, and Microsoft. The attacks reportedly led to outages for Outlook and OneDrive last June. Additionally, state and federal government agencies, including the Federal Bureau of Investigation (FBI), the Pentagon, and the DoJ, were targeted, alongside hospitals such as Cedars-Sinai Hospital in Los Angeles, which experienced service slowdowns, causing patient redirection. The hospital attack has led to charges against Ahmed carrying potential life sentences.
Messaging through Telegram, Ahmed allegedly posted in February that the attacks were ongoing and made references to retaliatory actions against hospitals.
FBI special agents collected evidence of the illegal activities, including logs showing that the accused sold access to Skynet Botnet to over 100 customers for attacks on various victims. Companies like Cloudflare, Crowdstrike, Digital Ocean, Google, PayPal, and others cooperated with investigators.
Court records and an AWS statement indicate several Amazon Web Services (AWS) clients were victims of this hacking-for-hire scheme. AWS security teams collaborated with FBI cybercrime investigators to trace the attacks to numerous cloud-based servers predominantly located in the U.S. This helped the FBI conclude that the Skynet Botnet attacks originated from a DCAT instead of a typical botnet, forwarding DDoS attacks through cloud-based servers and open proxy resolvers.
One of the group’s most audacious and perilous attacks occurred in April 2023, targeting Israel’s rocket alert system, Red Alert. The DDoS attack attempted to compromise the Internet domains of the mobile app, which provides real-time updates for missile attacks and security threats. Ahmed allegedly claimed credit for these attacks on Telegram, alongside similar aggressions on Israeli utilities and the Jerusalem Post news website.
U.S. Attorney Martin Estrada stated, “This group’s attacks were callous and brazen — the defendants went so far as to attack hospitals providing emergency and urgent care to patients. My office is committed to safeguarding our nation’s infrastructure and the people who use it, and we will hold cybercriminals accountable for the grave harm they cause.”
Update as of October 16, 7:25 PM ET: This article has been updated to clarify that the targets of Anonymous Sudan were AWS clients, rather than AWS itself.