analyst @ nohacky :~/threat-actors $
cat / threat-actors / anonymous-sudan
analyst@nohacky:~/anonymous-sudan.html
disrupted profile
type Hacktivism
threat_level Medium (historical)
status Disrupted
origin Sudan — pro-Russia alignment (assessed)
last_updated 2025-03-27
AS
anonymous-sudan

Anonymous Sudan

also known as: Storm-1359 DCAT operators Godzilla / Skynet / InfraShutdown

Two brothers from Sudan — Ahmed Salah Yousif Omer (22) and Alaa Salah Yusuuf Omer (27) — built one of the most disruptive DDoS operations in recent history using rented servers, high-bandwidth infrastructure, and a custom tool called DCAT (Distributed Cloud Attack Tool). Between January 2023 and March 2024, they executed 35,000+ DDoS attacks globally, taking down Microsoft Azure and Microsoft 365 services, forcing emergency patient diversions at Cedars-Sinai Medical Center for eight hours, knocking ChatGPT offline, and disrupting the US Department of Justice, Department of Defense, State Department, and FBI. In March 2024, the FBI seized and disabled DCAT; in October 2024, the indictments were unsealed. The group's alignment — presenting as Sudanese nationalists and Islamist hacktivists while coordinating with KillNet and targeting Western organizations — was a defining debate in the threat intelligence community.

attributed origin Sudan (confirmed) / Russia alignment (assessed)
identified operators Ahmed Salah Yousif Omer, Alaa Salah Yusuuf Omer
operational period January 2023 — March 2024 (DCAT seized)
primary motivation Financial / Ideological — DDoS-as-a-Service + hacktivism
confirmed attacks 35,000+ DDoS attacks
us damages $10M+ confirmed
law enforcement Indicted Oct 2024 (Operation PowerOFF)
target regions Global — US priority, Western nations
threat level Medium (infrastructure seized)

Overview

Anonymous Sudan emerged in mid-January 2023 on Telegram — initially as a Russian-language channel — claiming to conduct DDoS attacks against countries interfering in Sudanese politics. Within its first six months, the group launched 670 attacks according to Cyberint Research, rapidly establishing itself as one of the most prolific DDoS operations in the threat landscape. The group's stated ideology shifted between Sudanese nationalism, Islamist motivations, anti-Zionist positioning, and pro-Russia alignment — a combination that generated sustained debate among analysts over whether the group was genuinely ideologically driven, a front for Russian information operations, or a financially motivated extortion operation using ideology as cover.

The FBI's investigation, confirmed in the October 2024 indictment unsealing, concluded that Anonymous Sudan was led by Sudan-based individuals — specifically the brothers Ahmed and Alaa Salah — rather than being a Russian state operation. However, the group's documented coordination with KillNet, their targeting patterns consistent with pro-Russia disruption campaigns, their Telegram posts in Russian, and their involvement in the "Darknet Parliament" alongside KillNet and a purported REvil representative suggest ideological alignment with Russian interests regardless of operational origin. The US Attorney described this as a group that "sought to maximize havoc and destruction against governments and businesses around the world."

What distinguished Anonymous Sudan from typical hacktivist operations was the technical sophistication of DCAT. Rather than using a traditional botnet of compromised devices, DCAT leveraged open proxies and rented cloud infrastructure to generate volumetric Layer 7 application-layer attacks that bypassed standard DDoS mitigation services. The tool was commercially offered as a service to other criminal actors, generating revenue alongside the group's own attacks. Alaa Salah was responsible for DCAT's development and infrastructure; Ahmed Salah conducted the attacks and managed Telegram channels that at one point had up to 80,000 subscribers. A PayPal account investigation in July 2023 ultimately identified email addresses linked to the brothers, leading to their March 2024 arrest.

law enforcement action — march / october 2024

In March 2024, the FBI and US Attorney's Office obtained court-authorized warrants and seized the key components of DCAT: servers launching DDoS attacks, servers relaying attack commands, and accounts containing the source code. The brothers were arrested in March 2024 (country not disclosed; not in US custody). In October 2024, the grand jury indictment was unsealed, publicly identifying the operators for the first time. Ahmed Salah faces a maximum of life in federal prison; Alaa faces up to five years. The indictment was part of Operation PowerOFF — an ongoing international law enforcement coalition targeting DDoS-for-hire infrastructure — supported by Amazon, Akamai, Cloudflare, CrowdStrike, Google, Microsoft, PayPal, and others.

Target Profile

Anonymous Sudan's target selection was ideologically framed but operationally eclectic, mixing geopolitically motivated campaigns with financially motivated extortion against organizations with no obvious political connection to their stated causes.

  • Western government agencies: US federal agencies including the Department of Justice, Department of Defense, FBI, and State Department were targeted, framed as retaliation for US foreign policy positions. The indictment's specific counts against Ahmed Salah center on these government agency attacks.
  • Healthcare: US hospitals including Cedars-Sinai Medical Center in Los Angeles were targeted in the context of anti-Israel statements — the group posted "Bomb our hospitals in Gaza, we shut down yours too, eye for eye" before the February 2024 Cedars-Sinai attack that diverted emergency patients for eight hours. Ahmed Salah faces potential life imprisonment in part because the Cedars-Sinai attack may be the first time in US history that a cyberattack charge included reckless endangerment of life.
  • Major technology platforms: Microsoft Azure, Outlook, and OneDrive suffered weeks of DDoS outages in June 2023 that Microsoft eventually attributed to the group. OpenAI's ChatGPT was targeted in December 2023 following a statement by an OpenAI executive. Riot Games, Tinder, Lyft, PayPal, and X (Twitter) were also targeted.
  • Scandinavian and European targets: Anonymous Sudan launched its first campaign against Scandinavian Airlines in February 2023 following a Quran-burning incident in Stockholm, extorting the airline with demands to stop DDoS attacks. The European Investment Bank was attacked in June 2023. Universities in the UK — Cambridge and Manchester — were targeted in February 2024.
  • African and Middle Eastern governments: The Kenyan government was targeted in July 2023 in retaliation for Kenya's position in Sudan's civil war. In January and February 2024, the group claimed to have disrupted internet services in Chad and Djibouti over their relations with the Rapid Support Forces (RSF). Israeli infrastructure was targeted in November 2023.
  • Pro-Russia campaign targets: Anonymous Sudan participated in pro-Russia hacktivist campaigns coordinated with KillNet and Türk Hack Team, attacking organizations in countries supporting Ukraine. The joint "Darknet Parliament" statement in June 2023 threatened European banking infrastructure including SWIFT and SEPA systems.

Tactics, Techniques & Procedures

Anonymous Sudan's TTP set was dominated by a single primary capability — DDoS — executed with technical sophistication that went significantly beyond commodity attack tools. The group's ability to bypass enterprise DDoS mitigation services was its defining technical trait.

mitre id technique description
T1498.001 Network DoS — Direct Network Flood DCAT (Distributed Cloud Attack Tool) — also called Godzilla, Skynet, and InfraShutdown — generated volumetric Layer 7 application-layer DDoS attacks using open proxies and rented cloud infrastructure rather than a traditional botnet of compromised devices. This approach made attack traffic appear to originate from legitimate cloud providers, complicating mitigation.
T1498.002 Reflection Amplification / HTTP Floods Microsoft documented three DCAT attack types: HTTPS flood attacks distributing millions of requests across globally distributed source IPs, cache bypass attacks bypassing CDN caching by requesting unique content with each request, and Slowloris attacks holding connections open to exhaust server connection pools. Each method targeted different defensive layers, requiring organizations to counter all three simultaneously.
T1583.004 Acquire Infrastructure — Cloud Servers DCAT used rented cloud infrastructure and virtual private servers rather than compromised endpoints. This model reduced operational security risk (no victim machines to trace back), enabled rapid scaling, and made traffic appear to originate from legitimate cloud hosting providers including major platforms — bypassing IP reputation-based DDoS mitigation.
T1583.008 Acquire Infrastructure — Open Proxies Open proxies formed a core component of DCAT's attack network alongside rented cloud servers. By routing attack traffic through open proxies distributed globally, the tool further obfuscated attack origin and distributed the traffic load across a broader set of source addresses than pure cloud infrastructure would allow.
T1583.006 Acquire Infrastructure — API Exploitation CrowdStrike documented the group's ability to quickly identify and exploit vulnerable API endpoints — specifically those that, when overwhelmed with requests, would render services inoperable. This targeted API-level disruption was particularly effective against cloud services like Microsoft Azure and OpenAI's ChatGPT, where individual API endpoints lacked the same DDoS protection as primary web endpoints.
T1566 Phishing / Social Engineering — Extortion Demands Anonymous Sudan combined DDoS attacks with financial extortion, demanding payments to cease attacks. Demands included $1 million from Microsoft, $3 million from Scandinavian Airlines (later revised to $10 million in a second campaign), and leveraging check-host.net availability monitoring as proof-of-disruption in Telegram negotiations with clients and targets.
T1588 Obtain Capabilities — DDoS-as-a-Service DCAT was commercially offered as a service to other criminal actors via Telegram, with pricing and capability advertisements posted publicly. Indictment communications revealed the operators actively negotiated with clients — one message stated "I am carrying out an organized attack on the United States. We can target the airport." The DaaS model created a revenue stream alongside the group's own ideologically framed campaigns.
T1594 Search Victim-Owned Websites / OSINT The group used open-source tools including check-host.net to verify and publicly demonstrate the effectiveness of attacks in real time, posting availability monitoring results on Telegram to validate claims and maintain credibility with clients and followers. GitHub was used for code development — the group also attacked GitHub in January 2024 after the platform's use in their operations.

Known Campaigns

Selected high-profile operations across the group's 14-month active period, illustrating the breadth of targeting and the evolution from ideological campaigns to commercially motivated extortion.

Scandinavian Airlines — Sustained Extortion Campaign 2023

The group's first major campaign, beginning in February 2023, targeted Scandinavian Airlines following a Quran-burning incident in Stockholm by a Danish-Swedish far-right politician — framed as a Valentine's Day attack on Sweden. The group conducted intermittent DDoS attacks causing repeated outages on the airline's booking and customer service infrastructure over several months. A second two-week campaign in May 2023 came with a $10 million ransom demand, with the group stating they were attacking "because they were bored." The sustained campaign against SAS established the group's extortion model and demonstrated their ability to maintain attack tempo over extended periods.

Microsoft Azure, Outlook, and OneDrive Outages 2023

Anonymous Sudan's highest-profile attack series. Between June 7 and June 9, 2023, the group conducted sustained Layer 7 DDoS attacks against Microsoft Outlook.com (June 7), OneDrive (June 8), and the Azure Portal (June 9), causing multi-hour outages affecting users globally. Microsoft initially described the incidents using technical language before eventually confirming DDoS attacks in a blog post on June 16, attributing them to Storm-1359. The group simultaneously claimed to have stolen 30 million Microsoft account credentials — a claim Microsoft denied after cross-referencing a sample. The group demanded $1 million to stop the attacks. Microsoft employees told the FBI the attacks caused millions of dollars in losses.

Darknet Parliament — European Banking Infrastructure Threat 2023

In June 2023, Anonymous Sudan coordinated with KillNet and a purported REvil representative in what they called a "Darknet Parliament" — announcing joint plans to target European banking infrastructure including SWIFT, SEPA, IBAN, WIRE, and WISE transfer systems. The European Investment Bank confirmed a DDoS attack on June 19, 2023, consistent with the announced timeline. While the threatened catastrophic banking disruption did not materialize at the scale claimed, the coordination between Anonymous Sudan, KillNet, and other pro-Russia groups provided the clearest evidence of ideological and operational alignment with the Russian hacktivist ecosystem.

X (Twitter) Outage — Starlink Pressure Campaign 2023

In August 2023, Anonymous Sudan disrupted X (formerly Twitter) service in more than a dozen countries, posting on Telegram that Elon Musk should "Open Starlink in Sudan" — leveraging the platform's owner to pressure for communications infrastructure access during Sudan's civil war. The attack demonstrated the group's willingness to use its DDoS capability for directly geopolitical objectives beyond ideology-driven Western targeting, reflecting the underlying Sudanese nationalist motivations the FBI ultimately assessed as genuine.

OpenAI ChatGPT Outage 2023

In December 2023, Anonymous Sudan targeted OpenAI's ChatGPT following a social media post by Tal Broda, an OpenAI leadership member, that the group characterized as dehumanizing Palestinians and advocating ethnic cleansing. The attack caused a ChatGPT service disruption, demonstrating the group's willingness to target AI platforms alongside traditional technology infrastructure — and its practice of publicly linking attacks to specific triggering statements to frame operations as political retaliation.

Cedars-Sinai Medical Center — Emergency Department Diversion 2024

The attack with the most direct patient safety consequences in Anonymous Sudan's operational history. Starting February 16, 2024, a multi-day DDoS attack on Cedars-Sinai Medical Center in Los Angeles forced the emergency department to shut down and incoming patients to be redirected to other medical facilities for approximately eight hours. The group framed the attack as retaliation for Israeli military operations in Gaza. US Attorney Martin Estrada cited this attack specifically as evidence that the defendants "went so far as to attack hospitals providing emergency and urgent care to patients." Ahmed Salah's potential life sentence under reckless endangerment charges is directly tied to this attack — prosecutors believe it may be the first time this statute has been invoked for a cyberattack in the United States.

DCAT Seizure and Indictment Unsealing 2024

In March 2024, the US Attorney's Office and FBI executed court-authorized seizure warrants that disabled DCAT by seizing its launching servers, command relay servers, and source code repositories. The brothers were arrested in March 2024 (location not publicly disclosed). The group went silent — no confirmed operations after March 2024. In October 2024, the federal grand jury indictment was unsealed, publicly naming Ahmed Salah Yousif Omer and Alaa Salah Yusuuf Omer for the first time. The operation was conducted under Operation PowerOFF with private sector support from Amazon, Akamai, Cloudflare, CrowdStrike, DigitalOcean, Flashpoint, Google, Microsoft, PayPal, and SpyCloud.

Tools & Malware

Anonymous Sudan's operational capability was almost entirely centered on a single custom-built tool — DCAT — rather than a broad malware ecosystem. The tool's sophistication came from its infrastructure model and attack variety rather than code complexity.

  • DCAT — Distributed Cloud Attack Tool (Godzilla / Skynet / InfraShutdown): The group's signature custom DDoS platform, developed by Alaa Salah. Used rented cloud servers and open proxies rather than compromised endpoints as its attack infrastructure. Generated Layer 7 application-layer attacks via three methods: HTTPS flood (millions of globally distributed requests overwhelming backend processing and memory), cache bypass (unique requests bypassing CDN caching forcing origin server processing), and Slowloris (persistent connection exhaustion). The tool included an API enabling client access for the DaaS offering. Source code and infrastructure were seized by the FBI in March 2024.
  • Skynet Botnet: An early version or component of the DCAT infrastructure, referenced separately in FBI affidavits from DCAT. Used open proxies for attack traffic routing. Amazon employees who examined Skynet Botnet attack data against Amazon customers provided evidence cited in the criminal complaint.
  • Telegram channels: The group's primary command, control, and communications infrastructure — at peak reaching 80,000 subscribers. Used to announce attacks, post proof-of-disruption links from check-host.net, negotiate with extortion targets, advertise DaaS pricing, and coordinate with allied hacktivist groups. Messages were posted in Arabic, English, and Russian. Ahmed Salah managed these channels and was identified by FBI investigators through his alias WilfordCEO, which he confirmed during an FBI interview in March 2024.
  • check-host.net: A legitimate internet resource availability monitoring service that Anonymous Sudan used to verify and publicly demonstrate the success of DDoS attacks in real time — posting links as proof to Telegram followers and DaaS clients that targeted services were genuinely unreachable.

Indicators of Compromise

Given that Anonymous Sudan's primary attack type was DDoS, traditional host-based IOCs do not apply. Detection is primarily network-level, behavioral, and infrastructure-focused.

historical iocs — dcat infrastructure seized march 2024

DCAT's servers and source code were seized in March 2024. The specific infrastructure used for Anonymous Sudan's campaigns is no longer operational. These IOCs are provided for historical attribution reference and to characterize the attack signatures relevant to similar Layer 7 DDoS operations by successor or imitator groups.

indicators of compromise — attack signatures and behavioral patterns
attack type Layer 7 application-layer DDoS — targets web portals, APIs, and application endpoints
method HTTPS flood: millions of requests from globally distributed source IPs via open proxies
method Cache bypass: unique per-request parameters forcing origin server processing, defeating CDN
method Slowloris: persistent connection exhaustion depleting server connection pool
infra pattern Traffic originated from legitimate cloud hosting providers and open proxy ranges — not traditional botnet IPs
behavioral Attack claims posted to Telegram with check-host.net proof links within minutes of disruption onset
telemetry Targeted API endpoints specifically — services with unprotected or rate-unlimited API paths were priority targets

Mitigation & Defense

Anonymous Sudan's DCAT was specifically engineered to bypass standard DDoS mitigation. Defenses effective against commodity attack tools were less effective against DCAT's cloud-sourced, multi-method approach. The following controls reflect what worked and what did not.

  • Layer 7 DDoS protection — not just Layer 3/4: DCAT targeted the application layer, bypassing network-level volumetric defenses. Effective protection requires Web Application Firewall (WAF) solutions with behavioral analysis capable of distinguishing HTTPS flood traffic from legitimate users. Rate limiting at the application layer — not just network layer — is essential.
  • CDN cache behavior hardening: DCAT's cache bypass method exploited predictable CDN caching logic by generating requests with unique parameters that forced origin server processing. Configure CDN cache rules to aggressively cache content regardless of query string parameters for public-facing content, reducing the proportion of requests that reach origin servers during a cache bypass attack.
  • API rate limiting and endpoint hardening: CrowdStrike identified DCAT's exploitation of vulnerable API endpoints as a key success factor. Implement rate limiting on all public API endpoints. Endpoints without business justification for high-volume access should have strict per-IP and per-session request limits, with anomaly detection alerting on request volume spikes.
  • Slowloris connection timeout controls: Configure web servers to enforce aggressive connection timeout policies — dropping connections that have not completed their request within a defined window. Default timeout values on Apache, Nginx, and IIS are often too permissive for Slowloris resistance. Reverse proxy or load balancer layer timeouts provide an additional defense layer.
  • IP reputation and cloud provider range filtering: DCAT used rented cloud infrastructure, meaning attack traffic came from IP ranges belonging to legitimate cloud providers. While blocking entire cloud provider ranges is impractical for most services, behavioral analysis can identify anomalous request patterns from cloud IP ranges and apply targeted rate limiting.
  • DDoS response planning and upstream ISP coordination: Microsoft's eventual successful mitigation of DCAT attacks involved coordination with upstream providers. Organizations in sectors targeted by Anonymous Sudan should maintain pre-negotiated DDoS scrubbing arrangements with ISPs and CDN providers before an attack begins — reactive negotiation during an active multi-day DDoS campaign is significantly more difficult.
  • Telegram monitoring for pre-attack indicators: Anonymous Sudan consistently announced targets and posted proof links on Telegram. Threat intelligence teams monitoring pro-Russia and hacktivist Telegram channels often had advance warning of targeting — sometimes hours before attacks began. Integrating open-source Telegram threat intelligence into SOC workflows provides actionable early warning for this threat category.
analyst note

Anonymous Sudan's attribution debate — Sudanese nationalists, Russian front, or financially motivated extortionists — was never fully resolved and may not need to be. The FBI concluded that Sudan-based individuals led the operation; the ideological alignment with Russia was real regardless. As Flashpoint's Ian Gray observed, "Anonymous Sudan is a new class of cyber adversaries that's tough for us to put our finger on" — it united hacktivist iconography, KillNet partnerships, ideological campaigns, and DaaS commercial operations simultaneously. The Cedars-Sinai potential life-sentence charge for reckless endangerment represents a meaningful escalation in how US prosecutors characterize cyberattacks with physical harm potential — a precedent with implications for future ransomware and DDoS prosecutions where patient care disruption is provable. Radware has also suggested links between Anonymous Sudan and SN_BLACKMETA, which claimed responsibility for 2024 Internet Archive attacks — indicating potential continuation of related activity under a different identity.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile