This latest breach was through Zendesk, a customer service platform that the organization uses.

Source: Postmodern Studio via Alamy Stock Photo

Just a few days after the Internet Archive told the public it was getting back on its feet after a data breach and a barrage of distributed denial-of-service (DDoS) attacks forced it to go offline, the digital library website is once again in trouble.

Unknown bad actors have allegedly claimed access tokens to the archive's Zendesk implementation, using them to send a mass email on Oct. 20 to those who tried to interact with the archive's platform.

The email began as follows:

"It's dispiriting to see that even after being made aware of the breach two weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their GitLab secrets," the hacker stated. “As demonstrated by this message, this includes a Zendesk token with perm\[ission\]s to access 800K+ support tickets sent to \[email protected\] since 2018." 

The email continued, "Whether you were trying to ask a general question or requesting the removal of your site from the Wayback Machine — your data is now in the hands of some random guy. If not me, it'd be someone else."

Though it can’t be said for certain, Chris Hickman, chief security officer (CSO) of Keyfactor, said the hacker may not have serious malicious intent, but instead wants to prove a point: that those in charge of the Internet Archive must be more proactive in protecting its network from those who would do much worse.

"This is a security oversight as tokens that are not rotated regularly have longer lifespans, increasing the window of opportunity for attackers to steal and misuse them," Hickman wrote in an emailed statement to Dark Reading. "If a token is not rotated correctly, it might expire, leading to authentication failures for legitimate users. If a malicious actor obtains an unrotated token, they could use it to gain unauthorized access to systems or services, leading to service disruptions and customer frustration, damaging a company's reputation and bottom line."

The organization hasn't made any public comments regarding the latest breach, but it did request donations last week to help support its endeavors of promoting open access to knowledge resources.

Internet Archive Gets Pummeled in Round 2 Breach

The Internet Archive (Archive.org) suffered a second security breach in October 2024, exposing support tickets through unrotated Zendesk…

The Internet Archive (Archive.org) suffered a second security breach in October 2024, exposing support tickets through unrotated Zendesk API tokens. The organization faces reputational damage and risks to user data.

The Internet Archive, a non-profit organization founded by Brewster Kahle to preserve the Internet’s history, has been experiencing a series of cyberattacks throughout October 2024. It all started on October 9th with a dual attack: a data breach and a Distributed Denial-of-Service (DDoS) attack, which were **promptly reported by Hackread.com**.

The attack was revealed with a message displayed on the Internet Archive’s website (archive.org), with the hackers themselves, taunting the organization’s security vulnerabilities and announcing the stolen data on a website called “Have I Been Pwned?” (HIBP). 

Reportedly, the hackers exploited a GitLab token, compromising the Archive’s source code and stealing user data from 31 million accounts. This exposed sensitive information, including Bcrypt-hashed passwords and email addresses.

A Pro-Palestinian group SN\_BlackMeta launched another DDoS attack around the same time, temporarily knocking the site offline, including the Wayback Machine, which collects snapshots of hundreds of billions of web pages. While these attacks coincided, they were likely conducted by separate entities.

On October 18, Kahle **confirmed** that stored data is safe and that “Wayback Machine, Archive-It, scanning, and national library crawls have resumed.” He also stated that the organization is taking a cautious approach to rebuilding and strengthening defences.

However, the Internet Archive experienced another security breach on 20 October 2024, where hackers exploited unrotated Zendesk API tokens to access its support platform. The breach exposed thousands of support tickets dating back to 2018, potentially containing personal identification documents, and highlighted a critical lapse in the Archive’s security practices, leading to a failure to rotate access tokens regularly.

According to online malware repository VX-Underground, “The Internet Archive users are reporting to have received this e-mail. It appears that the person(s) who compromised The Internet Archive still maintain some form of persistent access and are trying to send a message.”

****What Now for the Internet Archive?****

The Archive suffered multiple breaches due to vulnerabilities in its infrastructure, allowing attackers to access user data. It is speculated that the attacks were motivated by reputation rather than financial gain, with hackers seeking recognition within hacker communities. Although no ransom demands were made, the stolen data poses risks like **phishing attacks and identity theft**.

The Internet Archive hasn’t yet commented on the recent breach. Nevertheless, considering that it serves as a crucial repository of historical digital information, the series of attacks raise concerns about the long-term safety of this digital treasure trove and signifies the importance of strong cybersecurity measures. Regular security audits, secure coding practices, and prompt responses to vulnerabilities are essential for protecting user data and critical infrastructure. 

1.  **DDoS Attacks Hit France Over Telegram’s Pavel Durov Arrest**
2.  **Archive of Our Own Website Suffering Massive DDoS Attacks**
3.  **Examining the US Government’s DDoS Protection Guidance Update**
4.  **Panamorfi DDoS Attack Exploits Misconfigured Jupyter Notebooks**
5.  **Misconfigured AWS bucket exposed 421GB of Artwork Archive data**

Internet Archive (Archive.org) Hacked for Second Time in a Month

Those who hacked the Internet Archive haven’t gone away. Users of the Internet Archive who have submitted helpdesk tickets are reporting...

Those who hacked the Internet Archive haven’t gone away. Users of the Internet Archive who have submitted helpdesk tickets are reporting replies to the tickets from the hackers themselves.

Internet Archive, most known for its Wayback Machine, is a digital library that allows users to look at website snapshots from the past. It is often used for academic research and data analysis. Earlier in October, the Internet Archive suffered from a data breach and DDoS attack.

During that breach the attackers were able to steal a user authentication database containing 31 million records.

While the Wayback Machine is almost fully functional again, in a recent turn of events the attackers have started replying to those users that have opened a support ticket with the Internet Archive.

This is one of the replies a user reported:

> “It’s dispiriting to see that even after being made aware of the breach 2 weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets.
> 
> As demonstrated by this message, this includes a Zendesk token with perms to access 800K+ support tickets sent to info@archive.org since 2018.
> 
> Whether you were trying to ask a general question, or requesting the removal of your site from the Wayback Machine—your data is now in the hands of some random guy. If not me, it’d be someone else.
> 
> Here’s hoping that they’ll get their shit together now.”

An Application Programming Interface (API) token is like a special pass that allows a computer program or app to access and use services provided by another program or website. It is used as proof that the user or app has permission to access the service.

It appears as if the Internet Archive uses Zendesk to manage its support tickets. Having the Internet Archive’s Zendesk token would certainly explain why the hackers can reply to customer tickets.

Changing a Zendesk API token is not very hard, but it can have unexpected consequences, so it may require some advance planning to minimize potential disruptions. This could be why the Internet Archive may not have gotten round to it yet. But not changing API keys that would grant the attackers access to the organization’s important infrastructure like Zendesk would be a serious omission.

On October 18, 2024, Internet Archive founder Brewster Kahle, posted an update stating the stored data of the Internet Archive is safe and work on resuming services safely is in progress.

> “We’re taking a cautious, deliberate approach to rebuild and strengthen our defenses. Our priority is ensuring the Internet Archive comes online stronger and more secure.”

So far, the Internet Archive has not responded to the new developments, and the motivation for the attacks on the Internet Archive remain unclear. We’ll keep you posted.

 Internet Archive attackers email support users: &#8220;Your data is now in the hands of some random guy&#8221; 

A new Gorilla Botnet has launched massive DDoS attacks, targeting over 100 countries, according to cybersecurity firm NSFOCUS.…

A new Gorilla Botnet has launched massive DDoS attacks, targeting over 100 countries, according to cybersecurity firm NSFOCUS. This botnet, which utilizes Mirai botnet source code and advanced techniques, poses a growing and global threat.

NSFOCUS Global Threat Hunting System has detected a new cybersecurity threat: The Gorilla Botnet. In September 2024, this botnet launched a massive series of distributed denial-of-service attacks (DDoS attacks), targeting over 300,000 targets in over 100 countries.

According to NSFOCUS, a renowned Chinese company specializing in application security, Gorilla Botnet is inspired by the infamous **Mirai botnet** and has become a major concern due to its wide reach and stealth capabilities. Gorilla Botnetleverages a network of compromised IoT devices like an army to launch large-scale DDoS attacks. These attacks flood targeted systems with traffic, crippling their access to users.

What makes Gorilla Botnet particularly dangerous is its use of encryption to obscure key data, ensuring long-term control over compromised devices and supporting various CPU architectures, making it compatible with a wide range of devices.

Gorilla Botnet uses a distributed C&C network to manage its operations and offers a variety of DDoS attack methods, including UDP Flood, ACK Bypass Flood, and VSE Flood. Additionally, it utilizes connectionless protocols like UDP to spoof IP addresses and further hide its origin.  

****Global Reach and Impact****

Since September 2024, when its activity was first detected, Gorilla has wasted no time making its mark. In just a month, the botnet unleashed over 300,000 attack commands, averaging a whopping 20,000 per day.

This series of attacks targeted over 100 countries, including economic powerhouses like:

*   **China**
*   **Canada**
*   **Germany**
*   **United States**

Additionally, critical infrastructure including universities, government websites, telecoms, banks, and gaming platforms, fell victim to these attacks.  

****Advanced Capabilities****

According to NSFOCUS’s **report**, Gorilla Botnet’s sophistication goes beyond its attack methods. The malware incorporates encryption algorithms commonly **used** by the notorious **Keksec** hacking group, making it difficult to detect/analyze.

The botnet also shows a strong focus on persistence. By exploiting vulnerabilities like the Apache Hadoop YARN RPC flaw and installing services that automatically execute on system startup, Gorilla becomes a stubborn opponent to eradicate.   

Organizations should strengthen their cybersecurity to address the growing threat of the Gorilla Botnet. Firewalls help block suspicious traffic, while intrusion detection systems (IDS) can spot unusual activity and alert security teams. Using cloud-based **DDoS protection** can also help reduce high-volume attacks, minimizing downtime for critical systems.

1.  Goldoon Botnet Hit D-Link Devices by Exploiting 9-Year-Old Flaw
2.   Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
3.  Golang Botnet “Zergeca” Discovered, Delivers Brutal DDoS Attacks
4.  Mirai-like Botnet Hits Zyxel NAS Devices in Europe for DDoS Attacks
5.  US Charges Duo Behind Anonymous Sudan for 35,000 DDoS Attacks

Mirai-Inspired Gorilla Botnet Hits 0.3 Million Targets Across 100 Countries

Plus: The alleged SEC X account hacker gets charged, Kroger wriggles out of a face recognition scandal, and Microsoft deals with missing customer security logs.

In what may be a first, the US Department of Justice this week charged a hacker with attempting to cause injury and death by launching distributed denial-of-service (DDoS) attacks against hospitals. Ahmed Omer and his brother Alaa are accused of carrying out a cyberattack spree that targeted hundreds of victims under the hacktivist banner Anonymous Sudan. The group’s DDoS victims included Microsoft’s Azure cloud services, OpenAI’s ChatGPT, and Israel’s missile alert system, according to prosecutors. It was the brothers’ alleged attacks on hospitals, however, that drew the most serious accusations from the Justice Department, which singled out Ahmed for allegedly seeking to kill people with the crude cyberattacks that overwhelm systems, knocking them offline.

If someone told you there’s a tool that can—using only open source information—create a “cyber profile” of you that can locate your phone in real time or place you at the scene of a crime at any date in the past, would you believe them? Canadian firm Global Intelligence claims to have created such a tool, dubbed Cybercheck, which it has sold to police departments across the US. Cybercheck-generated reports have been used to help convict at least two people of murder. However, a WIRED investigation found that Cybercheck’s reports have produced information that is either inaccurate or impossible to verify. And open source experts say some of the information Cybercheck claims to include—such as a device’s pings to a specific wireless network—would be impossible to obtain from publicly available sources.

The scourge of nonconsensual deepfake images has continued to proliferate, including on Telegram, where millions of people used “nudify” bots to “remove the clothes” of anyone—usually women and girls. A WIRED investigation identified 50 such bots and 25 channels linked to the creation of these abusive AI-generated explicit images. Telegram removed all 75 channels and bots after WIRED reached out, but many of them will likely respawn.

The slow death of the password may have gotten a speed boost this week. The FIDO Alliance, a tech industry association, announced new efforts to help hasten the adoption of passkeys, the cryptographically generated codes that are already replacing less-secure passwords. These efforts include a new Credential Exchange Protocol, which makes it easier to migrate passkeys between platforms and devices, and Passkey Central, a resource for company IT departments that aims to make it easier for organizations to adopt passkeys.

A group of researchers revealed this week that they created an algorithm that generates a malicious prompt capable of instructing an AI chatbot to identify personal information fed into it by a user and secretly send it to an attacker.

Finally, we went back in time to explore how well the US Army’s “solider of tomorrow,” unveiled 65 years ago this week, predicted the future of US military tech.

And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

If you use uBlock Origin’s Chrome extension to filter out online ads, expect to get mildly annoyed in the near future. Google has begun implementing new Chrome extension standards, called Manifest V3, that will disable the legacy version of uBlock Origin’s extension that most users likely have installed. And while you might be thinking, “Google is a silverback gorilla of online advertising, of course they’re finally forcing me to see ads!” there is some good news. A new version of the ad-filtering extension that meets the Manifest V3 standards, uBlock Origin Lite, is now available. Then again, it won’t block as much as the previous iteration of uBlock. Still, as a Google spokesperson told The Verge, you have options: “The top content filtering extensions all have Manifest V3 versions available — with options for users of AdBlock, Adblock Plus, uBlock Origin and AdGuard.” Either way, you’ll need to install a new extension soon.

**Alabama Man Charged in Hack of the SEC’s X Account**

US authorities announced charges this week against a 25-year-old Alabama man accused of hacking the Security and Exchange Commission’s X account. Prosecutors claim Eric Council Jr. obtained personal information and the materials for a fake ID of a person who controlled the @SECGov account from unidentified coconspirators. Council allegedly used the fake ID to carry out a SIM-swapping attack, duping AT&T retail store staff into giving him a new SIM card, which he ultimately used to take control of the victim’s phone account. The coconspirators used that to gain access to the SEC’s X account, where they posted a fake announcement about Bitcoin’s regulatory status, which was followed by a price jump of $1,000 per bitcoin. Council stands charged of conspiracy to commit aggravated identity theft and access device fraud.

**Kroger Says It Won’t Use Facial Recognition in Its Grocery Stores**

The grocery store chain Kroger has never used facial-recognition technology broadly in its stores and has no current plans to, a spokesperson told Fast Company this week. The company has been facing a firestorm over its use of electronic shelving labels over concerns that ESLs could be used to impose surge pricing on popular items, and fears that the devices could also be deployed with facial recognition. The company did a single-store facial-recognition pilot of a technology called EDGE in 2019, but it did not move forward with the service. US lawmakers including Rashida Tlaib, Elizabeth Warren, and Robert Casey have publicly raised concerns about Kroger’s use of ESLs.

**Microsoft Is Missing More Than 2 Weeks of Cloud Customers’ Security Logs**

Microsoft told customers that it failed to capture more than two weeks of security logs from certain cloud services in September, including Microsoft Entra, Sentinel, Defender for Cloud, and Purview. News of the lost logs was first reported by Business Insider. The company said in the notification that “a bug in one of Microsoft’s internal monitoring agents resulted in a malfunction in some of the agents when uploading log data to our internal logging platform.” The blank extends from September 2 to September 19. A Microsoft executive confirmed to TechCrunch that the incident was caused by an “operational bug within our internal monitoring agent.”

System activity logs are crucial for all sorts of operations and are particularly used for security monitoring and investigations, because they can expose breaches and malicious activity. After Russian hackers breached US government networks through SolarWinds software in 2020, many agencies couldn’t detect the activity in their Microsoft Azure cloud services because they weren’t paying for Microsoft’s premium tier features, so they didn’t have adequate network activity logs. Lawmakers were outraged about the up-charge, and the Biden administration worked for more than two years to get Microsoft to make the logging services free. The company ultimately announced the change in July 2023.

Google Chrome’s uBlock Origin Purge Has Begun

Days after facing a major breach, the site is still struggling to get fully back on its feet.

Source: Postmodern Studio via Alamy Stock Photo

The Internet Archive, a nonprofit digital library website, is beginning to come back online after a data breach and distributed denial-of-service (DDoS) attacks, prompting a week of its systems going offline.

Founded in 1996 by Brewster Kahle, the archive offers users free access to a historical Web collection, known as the Wayback Machine. This including access to more than 150 billion webpages, nearly 250,000 movies, 500,000 audio items, and more.

This free access to these seemingly unlimited resources all came to a halt on Oct. 9, when hackers stole and leaked the account information of a reported 31 million users. 

The users were met with a pop-up that read, "Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!"

HIBP is the "Have I Been Pwned" site that allows users to look up whether their personal information has been compromised in a data breach.

The Internet Archive site went offline in an effort to try to prevent such attacks from continuing to happen. Founder Brewster Kahle reported on social platform X that this process would take days, if not weeks.

"The @internetarchive's Wayback Machine resumed in a provisional, read-only manner. .... Please be gentle."

And in an update yesterday, he reported that Wayback Machine is running strong, though the team is still working to bring Internet Archive items and other services online safely.

**DDoS Mania**

Netscout, which has conducted analyses on the breach, reported that its researchers observed 24 DDoS attacks against the Autonomous System Number (ASN) 7941, the ASN used by the Internet Archive project. The first attack lasted more than three hours, and during the attack, three IP addresses used by Internet Archive received DDoS attack traffic.

"These kinds of attacks energize adversaries, and they often attempt to replicate the feat," the Netscout researchers reported. 

Bruno Kurtic, co-founder, president, and CEO of Bedrock Security, notes that perhaps these kind of breaches are inevitable.

"Perimeters will be breached, vulnerabilities will be exploited … attackers will eventually be at the front door of your data stores," he says. "For most enterprises, the first and fundamental gap is not knowing where their data is. Data is fluid, it moves, it sprawls, and it is created at an exponential rate."

To protect that data, Kurtic advises "proactive policy management," as well as detection of movement, encryption, and hashing.

"Monitoring access and continuously scanning to update classifications at hundreds-of-petabytes scale is hard but essential," he adds.

Internet Archive Slowly Revives After DDoS Barrage

US officials disrupted the group's DDoS operation and arrested two individuals behind it, who turned out to be far less intimidating than they were made out to be in the media.

Source: Firoze Edassery via Alamy Stock Photo

A federal grand jury has indicted two Sudanese nationals for their role in operating and controlling one of the most notorious hacktivist groups of recent years.

US officials allege that Ahmed Salah Yousif Omer — just 22 years old — and his brother Alaa Salah Yusuuf Omer, 27, were behind Anonymous Sudan (aka Storm-1359), a threat actor responsible for more than 35,000 distributed denial of service (DDoS) attacks worldwide since early 2023. In the US alone, it has clogged up websites belonging to major technology companies like Microsoft and Riot Games, the Cedars-Sinai Medical Center in Los Angeles — an event which caused an eight-hour disruption to patient care — and major government agencies like the FBI, State Department, Department of Defense, and Department of Justice (DoJ). It's believed that these attacks have caused at least $10 million in damages.

For their roles in "operating and controlling" Anonymous Sudan, Ahmed and Alaa were each charged with one count of conspiracy to damage protected computers. Ahmed also earned three counts for damaging protected computers.

The elder brother faces a maximum sentence of five years in federal prison, should he be found guilty. The younger: life behind bars.

"It's easy to be anonymous, and to hide yourself for a short period of time when visibility is limited," says Adam Meyers, head of counter adversary operations with CrowdStrike, which contributed to the DoJ investigation. "But the longer that things go on, the more that you do, the harder it is to keep up that facade."

**The Latest in Operation PowerOFF**

For years now, law enforcement authorities from the United States, United Kingdom, Germany, Poland, and the Netherlands have been collaborating as part of "Operation PowerOFF," to shutter DDoS-for-hire operations worldwide. PowerOFF has earned some high-profile successes since, including the arrests of the admins behind Webstresser — then the world's leading DDoS marketplace — back in 2018, a successful shutdown of 50 DDoS-for-hire platforms late in 2022, and another wave of "booter site" takedowns the following year. Then, early this year, authorities turned their sights on Anonymous Sudan.

Hacktivist groups, by their nature, are typically louder and easier to read than groups which put more emphasis on stealth and subtlety. "These guys were operating openly on Telegram. They were recruiting. They were talking about what they were up to. They were involved in things like #OpIsrael, and collaborating with groups like KillNet on some pro-Russia attacks. So they weren't hiding in the shadows," Meyers says.

Beyond that, he adds, "They did have some of what we would call OpSec issues, where they thought that they were being a little bit more discreet than they actually were."

With help from the Big Pipes working group — a PowerOFF collaboration between law enforcement and private sector partners — authorities identified assets belonging to Anonymous Sudan, and insights into the brothers at the top of the pyramid. Then in March, US authorities obtained court-authorized warrants to seize the tooling and infrastructure belonging to Anonymous Sudan. The FBI shut up key components of the group's sophisticated Distributed Cloud Attack Tool (DCAT) (aka Skynet, Godzilla, InfraShutdown), including the computer servers used to launch its attacks, those used to relay attack commands to its broader network of connected computers, and online accounts containing the group's source code.

**Not-So-Anonymous Sudan**

During its approximately year-long reign of terror, Anonymous Sudan had been connected with and attributed to a variety of different groups and interests. Some researchers suggested that it was merely a front for the Russian hacktivist collective KillNet. Others went further, suggesting that the group is backed by the Russian state.

"That was a misconception that many folks believed and parroted, with little supporting evidence," explains Chad Seaman, principal security researcher and team lead at Akamai SIRT, which also participates in PowerOFF through the Big Pipes working group. "Mostly this theory seemed to be rooted in their affiliation with KillNet, which as disclosed in the indictment details, seems to be more \[borne of\] an anti-west ideological alignment, and kind of turned into a marketing decision, in part aimed at driving business to their booter services they were selling at the time, due to KillNet's notoriety at the time."

There were some understandable reasons behind those connections: the scale of the operation, its sophistication, its apparent motives, etc. "Take into account their seemingly oddly aligned support of Russian hacktivist groups, being a new group that seemingly sprung up overnight, their ability to launch debilitating attacks, and an assumption that their operations were being paid for to the tune of hundreds of thousands of dollars a month in compute expenses, it's an easy theory to rationalize," he says.

However, he adds, "Attribution is often hard and messy work, and short of very compelling evidence to support such claims, it should always be eyed with a bit of suspicion until proof is provided. This isn't the first time, and it won't be the last, that we've seen theorized attribution fall victim to reality when more pieces of the puzzle fall into place."  

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Anonymous Sudan Unmasked as Leaders Face Life in Prison

The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. One of the brothers is facing life in prison for allegedly seeking to kill people with his attacks.

The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running **Anonymous Sudan** (a.k.a. **AnonSudan**), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. The younger brother is facing charges that could land him life in prison for allegedly seeking to kill people with his attacks.

Image: FBI

Active since at least January 2023, AnonSudan has been described in media reports as a “hacktivist” group motivated by ideological causes. But in a criminal complaint, the FBI said those high-profile cyberattacks were effectively commercials for the hackers’ DDoS-for-hire service, which they sold to paying customers for as little as $150 a day — with up to 100 attacks allowed per day — or $700 for an entire week.

The complaint says despite reports suggesting Anonymous Sudan might be state-sponsored Russian actors pretending to be Sudanese hackers with Islamist motivations, AnonSudan was led by two brothers in Sudan — **Ahmed Salah Yousif** **Omer**, 22, and **Alaa Salah Yusuuf Omer**, 27.

AnonSudan claimed credit for successful DDoS attacks on numerous U.S. companies, causing a multi-day outage for Microsoft’s cloud services in June 2023. The group hit **PayPal** the following month, followed by **Twitter/X** (Aug. 2023), and **OpenAI** (Nov. 2023). An indictment in the Central District of California notes the duo even swamped the websites of the **FBI** and the **Department of State**.

Prosecutors say Anonymous Sudan offered a “Limited Internet Shutdown Package,” which would enable customers to shut down internet service providers in specified countries for $500 (USD) an hour. The two men also allegedly extorted some of their victims for money in exchange for calling off DDoS attacks.

The government isn’t saying where the Omer brothers are being held, only that they were arrested in March 2024 and have been in custody since. A statement by the **U.S. Department of Justice** says the government also seized control of AnonSudan’s DDoS infrastructure and servers after the two were arrested in March.

AnonSudan accepted orders over the instant messaging service **Telegram**, and marketed its DDoS service by several names, including “**Skynet**,” “**InfraShutdown**,” and the “**Godzilla botnet**.” However, the DDoS machine the Omer brothers allegedly built was not made up of hacked devices — as is typical with DDoS botnets.

Instead, the government alleges Skynet was more like a “distributed cloud attack tool,” with a command and control (C2) server, and an entire fleet of cloud-based servers that forwards C2 instructions to an array of open proxy resolvers run by unaffiliated third parties, which then transmit the DDoS attack data to the victims.

**Amazon** was among many companies credited with helping the government in the investigation, and said AnonSudan launched its attacks by finding hosting companies that would rent them small armies of servers.

“Where their potential impact becomes really significant is when they then acquire access to thousands of other machines — typically misconfigured web servers — through which almost anyone can funnel attack traffic,” Amazon explained in a blog post. “This extra layer of machines usually hides the true source of an attack from the targets.”

The security firm **CrowdStrike** said the success of AnonSudan’s DDoS attacks stemmed from a combination of factors, including sophisticated techniques for bypassing DDoS mitigation services. Also, AnonSudan typically launched so-called “Layer 7” attacks that sought to overwhelm targeted “API endpoints” — the back end systems responsible for handling website requests — with bogus requests for data, leaving the target unable to serve legitimate visitors.

The Omer brothers were both charged with one count of conspiracy to damage protected computers. The younger brother — Ahmed Salah — was also charged with three counts of damaging protected computers.

A passport for Ahmed Salah Yousif Omer. Image: FBI.

If extradited to the United States, tried and convicted in a court of law, the older brother Alaa Salah would be facing a maximum of five years in prison. But prosecutors say Ahmed Salah could face life in prison for allegedly launching attacks that sought to kill people.

As Hamas fighters broke through the border fence and attacked Israel on Oct. 7, 2023, a wave of rockets was launched into Israel. At the same time, AnonSudan announced it was attacking the APIs that power Israel’s widely-used “red alert” mobile apps that warn residents about any incoming rocket attacks in their area.

In February 2024, AnonSudan launched a digital assault on the **Cedars-Sinai Hospital** in the Los Angeles area, an attack that caused emergency services and patients to be temporarily redirected to different hospitals.

The complaint alleges that in September 2023, AnonSudan began a week-long DDoS attack against the Internet infrastructure of Kenya, knocking offline government services, banks, universities and at least seven hospitals.

Sudanese Brothers Arrested in ‘AnonSudan’ Takedown

Federal prosecutors in the U.S. have charged two Sudanese brothers with running a distributed denial-of-service (DDoS) botnet for hire that conducted a record 35,000 DDoS attacks in a single year, including those that targeted Microsoft's services in June 2023.
The attacks, which were facilitated by Anonymous Sudan's "powerful DDoS tool," singled out critical infrastructure, corporate networks,

Federal prosecutors in the U.S. have charged two Sudanese brothers with running a distributed denial-of-service (DDoS) botnet for hire that conducted a record 35,000 DDoS attacks in a single year, including those that targeted Microsoft's services in June 2023.

The attacks, which were facilitated by Anonymous Sudan's "powerful DDoS tool," singled out critical infrastructure, corporate networks, and government agencies in the United States and around the world, the U.S. Department of Justice (DoJ) said.

Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, have been charged with one count of conspiracy to damage protected computers. Ahmed Salah has also been charged with three counts of damaging protected computers.

If convicted on all charges, Ahmed Salah faces a statutory maximum sentence of life in federal prison, while Alaa Salah faces a maximum sentence of five years in federal prison. The DDoS tool is said to have been disabled in March 2024, the same month the pair were arrested from an unknown country.

"Anonymous Sudan sought to maximize havoc and destruction against governments and businesses around the world by perpetrating tens of thousands of cyberattacks," said U.S. attorney Martin Estrada.

"This group's attacks were callous and brazen—the defendants went so far as to attack hospitals providing emergency and urgent care to patients."

Anonymous Sudan, which is tracked by Microsoft under the name Storm-1359, emerged at the start of 2023, orchestrating a series of Swedish, Dutch, Australian, and German organizations. While it claimed to be a hacktivist group, the indictments show that it was just a front for what they really were, a digital mercenary crew.

"After initially joining a brief pro-Russian hacktivist campaign, Anonymous Sudan conducted a series of DDoS attacks with apparent religious and Sudanese nationalist motivations, including campaigns against Australian and Northern European entities," Crowdstrike said.

"The group was also a prominent participant in the annual #OpIsrael hacktivist campaign. Throughout these campaigns, Anonymous Sudan also demonstrated a willingness to collaborate with other hacktivist groups like KillNet, SiegedSec and Türk Hack Team."

Court documents allege that the Anonymous Sudan actors and their customers used the group's Distributed Cloud Attack Tool (DCAT) to conduct thousands of destructive DDoS attacks and publicly claim credit for them, causing more than $10 million in damages to U.S. victims alone.

According to Amazon Web Services (AWS), DDoS services were offered to prospective customers for $100 per day, $600 per week, and $1,700 per month. The service allegedly permitted up to 100 attacks each day.

The DCAT tool, marketed in the criminal underground as Godzilla, Skynet, and InfraShutdown, has been dismantled as part of a court-authorized seizure of its key components, including servers that were used to launch the DDoS attacks, servers that relayed attack commands to a broader network of attack computers, and accounts containing the source code for the DDoS tools used by the group.

"These law enforcement actions were taken as part of Operation PowerOFF, an ongoing, coordinated effort among international law enforcement agencies aimed at dismantling criminal DDoS-for-hire infrastructure worldwide, and holding accountable the administrators and users of these illegal services," the DoJ said.

The development comes as the Finnish Customs office (aka Tulli) disrupted the Sipulitie darknet marketplace — a successor to Sipulimarket that was taken down by law enforcement in 2020 – which specialized in the sale of drugs and had been operational on the dark web since 2023.

"The website in Finnish and English was used for criminal purposes, such as selling drugs under the cover of anonymity," Tulli said. "The website administrator has said on public forums that Sipulitie's turnover was 1.3 million euros."

Elsewhere, Brazil's Department of Federal Police (DPF) said it arrested a hacker in connection with a series of cyber attacks that breached its own systems and those belonging to other international institutions.

Codenamed Operation Data Breach, the effort saw the execution of a search and seizure warrant and a preventive arrest warrant against the defendant in the city of Belo Horizonte over allegations of leaking sensitive data associated with 80,000 members of InfraGard, a collaborative exercise between the U.S. government and critical infrastructure sectors.

The unnamed individual, who went by the names USDoD and EquationCorp, has also been accused of selling data from the Federal Police twice, on May 22, 2020 and February 22, 2022, as well as leaking data from Airbus and the U.S. Environmental Protection Agency (EPA).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Charges Two Sudanese Brothers for Record 35,000 DDoS Attacks

The US DoJ indicts two Sudanese nationals allegedly behind Anonymous Sudan for over 35,000 DDoS attacks targeting critical…

The US DoJ indicts two Sudanese nationals allegedly behind Anonymous Sudan for over 35,000 DDoS attacks targeting critical infrastructure, hospitals, and major tech firms. The FBI seized a powerful DDoS tool; victims include the DOJ, Microsoft, and Cedars-Sinai.

The United States Department of Justice (DoJ) has indicted two Sudanese nationals for their alleged role in operating the hacktivist group Anonymous Sudan. The group claimed fame for conducting “tens of thousands” of large-scale and crippling Distributed Denial of Service attacks (DDoS attacks) targeting critical infrastructure, corporate networks, and government agencies globally.

****The Alleged Masterminds Behind the Attacks****

Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, stand accused of conspiracy to damage protected computers. Ahmed Salah faces additional charges for damaging protected computers.

The duo is believed to have controlled Anonymous Sudan, which, since early 2023, launched attacks on high-profile entities such as ChatGPT, UAE’s Flydubai Airline, London Internet Exchange, Microsoft, and the Israeli BAZAN Group.

Anonymous Sudan taking responsibility for DDoS attacks on OpenAI’s ChatGPT (Screenshot credit: Hackrad.com)

The group and its clients also utilized the Distributed Cloud Attack Tool (DCAT) to conduct over 35,000 DDoS attacks. These attacks targeted sensitive government and critical infrastructure in the U.S. and globally, including the Department of Justice, Department of Defense, FBI, State Department, and Cedars-Sinai Medical Center in Los Angeles.

The attacks, which sometimes lasted days, reportedly caused major damage, often crippling websites and networks. For instance, the attack on Cedars-Sinai Medical Center forced the redirection of incoming patients for eight hours, causing over $10 million in damages to U.S. victims.

****FBI Seized Anonymous Sudan’s DDoS Tool****

For your information, DCAT refers to a type of malicious tool or framework that exploits cloud resources across multiple geographic locations to execute cyberattacks. These tools often take advantage of the scalability, distribution, and on-demand nature of cloud services to create strong attack infrastructures.

According to the DoJ’s press release, in March 2024, the U.S. Attorney’s Office and the FBI, acting on court-authorized seizure warrants, successfully disabled and seized Anonymous Sudan’s “powerful DDoS tool.” This tool, which the group allegedly used to execute attacks and sold as a service to other criminals, was the base of their operations.

The March 2024 operation, which disrupted the DCAT tool (also known as “Godzilla,” “Skynet,” and “InfraShutdown”), involved seizing key components, including servers that launched and controlled attacks and those that relayed commands. The warrants also covered accounts containing the source code for the DDoS tools.

“Anonymous Sudan sought to maximize havoc and destruction against governments and businesses around the world,” stated United States Attorney Martin Estrada. He emphasized the group’s callousness, noting attacks on hospitals providing emergency care. “We are committed to safeguarding our nation’s infrastructure and holding cybercriminals accountable,” he added.

****Operation PowerOFF****

These actions are part of Operation PowerOFF, an international effort to dismantle DDoS-for-hire infrastructures active since 2018. Private sector entities like Akamai SIRT, Amazon Web Services, Cloudflare, and Microsoft have played a key role in the takedown since.

In its latest blog post shared with Hackread.com, Akamai SIRT expressed gratitude to the FBI, DOJ, and the Big Pipes working group for their commitment to prioritizing DDoS investigations and disrupting these operations.

“Akamai would like to thank the members of the Federal Bureau of Investigation (FBI), the DOJ, and the Big Pipes working group for their commitment to prioritizing DDoS investigations, as well as their investment of time and energy into unravelling these operations and attempting to disrupt them,” the company said.

1.  Cyberattack on American Water Halts Billing
2.  Dark Web’s cybercrime group indicted after stealing $530M
3.  Technician Indicted for Hacking California Water Treatment Facility
4.  Russian Hacker Wanted for Cyberattacks on Ukraine, $10M Reward
5.  North Korean Hacker Charged for Ransomware Attacks on Hospitals

Tag

#ddos