Anonymous Sudan Unmasked as Leaders Face Life in Prison

Source: Firoze Edassery via Alamy Stock Photo

A federal grand jury has indicted two Sudanese nationals for their role in operating and controlling one of the most notorious hacktivist groups of recent years.

US officials allege that Ahmed Salah Yousif Omer — just 22 years old — and his brother Alaa Salah Yusuuf Omer, 27, were behind Anonymous Sudan (aka Storm-1359), a threat actor responsible for more than 35,000 distributed denial of service (DDoS) attacks worldwide since early 2023. In the US alone, it has clogged up websites belonging to major technology companies like Microsoft and Riot Games, the Cedars-Sinai Medical Center in Los Angeles — an event which caused an eight-hour disruption to patient care — and major government agencies like the FBI, State Department, Department of Defense, and Department of Justice (DoJ). It’s believed that these attacks have caused at least $10 million in damages.

For their roles in “operating and controlling” Anonymous Sudan, Ahmed and Alaa were each charged with one count of conspiracy to damage protected computers. Ahmed also earned three counts for damaging protected computers.

The elder brother faces a maximum sentence of five years in federal prison, should he be found guilty. The younger: life behind bars.

“It’s easy to be anonymous, and to hide yourself for a short period of time when visibility is limited,” says Adam Meyers, head of counter adversary operations with CrowdStrike, which contributed to the DoJ investigation. “But the longer that things go on, the more that you do, the harder it is to keep up that facade.”

The Latest in Operation PowerOFF

For years now, law enforcement authorities from the United States, United Kingdom, Germany, Poland, and the Netherlands have been collaborating as part of “Operation PowerOFF,” to shutter DDoS-for-hire operations worldwide. PowerOFF has earned some high-profile successes since, including the arrests of the admins behind Webstresser — then the world’s leading DDoS marketplace — back in 2018, a successful shutdown of 50 DDoS-for-hire platforms late in 2022, and another wave of “booter site” takedowns the following year. Then, early this year, authorities turned their sights on Anonymous Sudan.

Hacktivist groups, by their nature, are typically louder and easier to read than groups which put more emphasis on stealth and subtlety. “These guys were operating openly on Telegram. They were recruiting. They were talking about what they were up to. They were involved in things like #OpIsrael, and collaborating with groups like KillNet on some pro-Russia attacks. So they weren’t hiding in the shadows,” Meyers says.

Beyond that, he adds, “They did have some of what we would call OpSec issues, where they thought that they were being a little bit more discreet than they actually were.”

With help from the Big Pipes working group — a PowerOFF collaboration between law enforcement and private sector partners — authorities identified assets belonging to Anonymous Sudan, and insights into the brothers at the top of the pyramid. Then in March, US authorities obtained court-authorized warrants to seize the tooling and infrastructure belonging to Anonymous Sudan. The FBI shut up key components of the group’s sophisticated Distributed Cloud Attack Tool (DCAT) (aka Skynet, Godzilla, InfraShutdown), including the computer servers used to launch its attacks, those used to relay attack commands to its broader network of connected computers, and online accounts containing the group’s source code.

Not-So-Anonymous Sudan

During its approximately year-long reign of terror, Anonymous Sudan had been connected with and attributed to a variety of different groups and interests. Some researchers suggested that it was merely a front for the Russian hacktivist collective KillNet. Others went further, suggesting that the group is backed by the Russian state.

“That was a misconception that many folks believed and parroted, with little supporting evidence,” explains Chad Seaman, principal security researcher and team lead at Akamai SIRT, which also participates in PowerOFF through the Big Pipes working group. “Mostly this theory seemed to be rooted in their affiliation with KillNet, which as disclosed in the indictment details, seems to be more [borne of] an anti-west ideological alignment, and kind of turned into a marketing decision, in part aimed at driving business to their booter services they were selling at the time, due to KillNet’s notoriety at the time.”

There were some understandable reasons behind those connections: the scale of the operation, its sophistication, its apparent motives, etc. “Take into account their seemingly oddly aligned support of Russian hacktivist groups, being a new group that seemingly sprung up overnight, their ability to launch debilitating attacks, and an assumption that their operations were being paid for to the tune of hundreds of thousands of dollars a month in compute expenses, it’s an easy theory to rationalize,” he says.

However, he adds, “Attribution is often hard and messy work, and short of very compelling evidence to support such claims, it should always be eyed with a bit of suspicion until proof is provided. This isn’t the first time, and it won’t be the last, that we’ve seen theorized attribution fall victim to reality when more pieces of the puzzle fall into place.”

About the Author

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes “Malicious Life” – an award-winning Top 20 tech podcast on Apple and Spotify – and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts “The Industrial Security Podcast,” the most popular show in its field.