The US has charged two Sudanese brothers for orchestrating over 35,000 DDoS attacks, which tried to disrupt access to various internet services, including from Microsoft, PayPal and Riot Games.
The suspects, 22-year-old Ahmed Salah Yousif Omer and 27-year-old Alaa Salah Yusuuf Omer, allegedly ran Anonymous Sudan, a cybercriminal group notorious for launching DDoS attacks across the globe since at least January 2023.
On Wednesday, US prosecutors revealed they had seized and shut down the group's DDoS attack tool back in March using a court-authorized warrant. In the same month, law enforcement arrested the brothers abroad, US attorney for the Central District of California Martin Estrada told reporters.
The duo allegedly created the DDoS attack tool, dubbed "Godzilla Botnet" and "Skynet Botnet," to lease it out to other hackers, who'd in return pay a fee. According to an FBI affidavit submitted to the court, the tool attracted more than 100 customers.
The attacks were powerful enough to sometimes knock websites offline for hours. Anonymous Sudan would also use its account on the chat app Telegram to make demands following each disruption. For example, the group targeted OpenAI in November 2023, "and warned of persistent DDoS attacks unless OpenAI modified its chatbot's behavior and dismissed its head of research," the FBI affidavit says.
In some cases, the DDoS attacks also targeted government agencies, including the Department of Defense, the State Department and the FBI. In addition, the assaults went after hospitals including Cedars-Sinai Medical Center in Los Angeles, "causing incoming patients to be redirected to other medical facilities for approximately eight hours." Federal investigators estimate the cyber attacks led to more than $10 million in damages to US victims.
DDoS attacks work by summoning large amounts of internet traffic to bombard a website or app, forcing it offline. To pull this off, Anonymous Sudan avoided using a botnet, or an army of infected computers. Instead, US investigators determined the group were harnessing a cluster of rented cloud servers -- many of them based in the US -- to help them launch the attacks.
To investigate the group, the FBI used an undercover agent to rent access to Anonymous Sudan's DDoS tool, which helped it uncover the servers used to launch the attacks. In addition, "PayPal identified certain accounts on its platform that it believed were likely used by Anonymous Sudan actors," according to the FBI affidavits.
This led federal investigators to nab Ahmed Salah by matching his internet activity to IP addresses associated with Anonymous Sudan operations. A search warrant was also used to access his email accounts, which confirmed that "he often visited the website of victims of Anonymous Sudan either immediately preceding an attack, during an attack, or both," according to the affidavit.
The younger brother, Ahmed Salah, now faces the prospect of life in prison if convicted of all charges, which includes three counts of damaging protected computers, and one count of conspiracy to damage protected computers. Meanwhile, the older brother could face up to five years in prison since he was charged with only one count of conspiracy to damage protected computers. It's unclear which country is currently holding the two suspects.