For the first time in the history of the tech industry, the U.S. Department of Justice (DOJ) has publicly acknowledged the pivotal role of Amazon Web Services (AWS) in the apprehension of two key individuals associated with the hacking group known as Anonymous Sudan. This group has been responsible for a series of denial-of-service (DDoS) attacks targeting government agencies, healthcare organizations, telecommunications companies, and cloud service providers around the globe.
In a notable statement, the DOJ expressed gratitude to Amazon for providing crucial leads that aided in the capture of these criminals, who security experts believe are not only influential but also linked to a broader network of cybercrime activities, including ransomware operations.
Tom Scholl, Vice President and Engineer at Amazon Web Services, shared details of the investigation, shedding light on how law enforcement was able to trace the hackers who were reportedly offering “rate cards” for DDoS services—charging around $100 per day, $600 per week, and between $1,700 and $1,900 for executing these disruptive attacks.
The criminals were identified through AWS’s advanced technical capabilities. Specifically, the company’s experts monitored a group of servers, referred to as “Proxy Drivers,” which were rented by the hackers to launch their attacks. Once these malicious actors began leasing the bots, they came under surveillance from an internal threat detection system developed by AWS, known as MadPot. This system has been operational since June 2023. Although Jeff Bezos is no longer the CEO, he still serves as Executive Chairman, underscoring the company’s ongoing commitment to security.
Scholl and his team effectively tracked the activities of the digital mercenaries affiliated with Anonymous Sudan. They promptly alerted law enforcement, which led to a coordinated effort involving the DOJ, the FBI, and Europol to indict the individuals now identified as Ahmad Yousif Omar and Alaa Salah Yusuf Omar. These brothers have been charged with inflicting substantial damage to the digital assets of numerous companies.
Reports indicate that the FBI seized operations and infrastructure linked to the group in March of this year, neutralizing a significant tool known as the Distributed Cloud Attack Tool (DCAT), also dubbed “Godzilla.” This sophisticated weapon was capable of executing over 35,000 DDoS attacks simultaneously, boasting a success rate of approximately 10%.
This incident serves as a critical reminder for companies to maintain vigilant oversight of their leased infrastructure and to cooperate with law enforcement in the event of cyber incidents. Many cybercriminal organizations often launch ransomware, malware, and DDoS attacks using cloud-based infrastructure leased from large providers, particularly those operating in Western and Central Asian regions. It is imperative that organizations stay alert and proactive in safeguarding their digital environments.