US disrupts Anonymous Sudan DDoS operation, indicts 2 Sudanese brothers
The United States Department of Justice unsealed an indictment today against two Sudanese brothers suspected of being the operators of Anonymous Sudan, a notorious and dangerous hacktivist group known for conducting over 35,000 DDoS attacks in a year.
Since launching in 2023, Anonymous Sudan has been behind numerous high-profile DDoS attacks, causing widespread outages and the inability for users worldwide to access targeted services. Many of their attacks have been motivated by pro-Russian and pro-Palestinian causes from messages posted to their Telegram channels.
These attacks impacted well-known companies and services, including tech giants like Cloudflare, Microsoft, and OpenAI, with the threat actors capable of overloading services and making them inaccessible.
Other attacks targeted government agencies worldwide and healthcare, including Cedars-Sinai Hospital in Los Angeles, where the attack disrupted systems and caused emergency services and patients to be diverted to other hospitals.
Anonymous Sudan indicted
Today, the Department of Justice unsealed an indictment against two Sudanese nationals named Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, for operating and controlling Anonymous Sudan.
While the group claimed to be targeting countries and organizations interfering with Sudanese politics, some researchers believed that to be a false flag and linked the group to Russia instead.
U.S. Attorney Martin Estrada told reporters in a press call that Anonymous Sudan was considered the most dangerous cyber group in terms of DDoS attacks and that the brothers were motivated by a Sudanese nationalist ideology.
Estrada said the brothers have been in custody since March when Anonymous Sudan was disrupted and infrastructure seized, but would not share what country arrested the two. However, he did state that while they are not in US custody, they have been interviewed by the FBI.
"A federal grand jury indictment unsealed today charges two Sudanese nationals with operating and controlling Anonymous Sudan, an online cybercriminal group responsible for tens of thousands of Distributed Denial of Service (DDoS) attacks against critical infrastructure, corporate networks, and government agencies in the United States and around the world," announced the DOJ.
"In March 2024, pursuant to court-authorized seizure warrants, the U.S. Attorney's Office and FBI seized and disabled Anonymous Sudan's powerful DDoS tool, which the group allegedly used to perform DDoS attacks, and sold as a service to other criminal actors."
Unlike other groups that conduct DDoS attacks, Anonymous Sudan did not compromise devices to use as part of their attacks. Instead, they utilized tools called the Skynet Botnet or DCAT that used open proxies to overwhelm targeted servers.
"I have interviewed employees at Amazon who examined data associated with Skynet Botnet attacks against Amazon customers," FBI Special Agent Elliott Peterson explained in the criminal complaint.
"They determined that the attacks were being transmitted not from compromised victim devices, as would ordinarily be the case with a botnet, but from devices that were configured to automatically forward certain categories of Internet traffic."
"Also called "Open Proxy Resolvers," these "auto-forwarding" devices comprise the public part of the Skynet Botnet, and they were often the only information a Skynet Botnet attack victim would see in their network data."
Peterson, who has been investigating Anonymous Sudan since 2023, has also been involved in other disruptions of DDoS operations as part of Operation PowerOff.
The two suspects now face charges of conspiracy to damage protected computers, and Ahmed Omer is also charged with three counts of damaging protected computers.
Ahmed Omer also faces a statutory maximum sentence of life in federal prison for reckless endangerment of life for their attack on Cedars-Sinai Hospital, which Estrada said may be the first time this statute was charged in the US for a cyberattack.
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner
