Today, the U.S. Department of Justice (DOJ) unsealed criminal charges against two leaders of a highly disruptive cybercriminal operation, which targeted hospitals, government agencies, telecommunications services, cloud providers, and a range of other organizations.
The DOJ acknowledged contributions from Amazon Web Services (AWS) and its security experts to the effort to bring the leaders of this group, named Anonymous Sudan, to justice. Anonymous Sudan is one of dozens of cybercrime-for-hire operations that AWS security teams have been instrumental in disrupting over the past two years. This group, in particular, deployed distributed denial of service (DDoS) attacks for money.
In a DDoS attack, a malicious actor floods a server with millions of requests per second. Like a customer service center overrun with callers, the site can't serve new requests and essentially shuts down. These attacks can last anywhere from several minutes to—if the perpetrator has sufficient funding and infrastructure—hours or days. The impact of such attacks and downtime includes potentially millions of dollars of lost business and productivity, as well as the human impact of critical healthcare and other infrastructure not being available when they’re needed most.
DDoS attacks are unfortunately not rare, but the scale and audacity of the alleged attacks by Anonymous Sudan were striking to AWS’s security team.
"We were a bit surprised about how brazen they were, and by the ease with which they were impacting high profile targets," said Tom Scholl, AWS VP and distinguished engineer. “They did it as a form of marketing their DDoS-as-a-service offerings, with rate cards and ways to contact them to sign up for purchasing DDoS services, everything."
Anonymous Sudan offered DDoS attacks for $100 per day, $600 per week, and $1,700 per month, and it had plenty of customers. But, for companies with sophisticated security teams and cloud-based tools to work with, DDoS attacks are generally easily defended. AWS, for example, maintains a wide array of security monitoring tools across our global infrastructure in order to identify threats before they happen. That’s why it was somewhat surprising to see how effective these conventional attacks were in disrupting a number of targets, including a large cloud provider.
Bad actors through and through
To carry out these attacks, Scholl says groups like Anonymous Sudan find hosting companies that will rent them small armies of servers, which they call “proxy drivers,” from which to launch their attacks. There is nothing out of the ordinary there. Where their potential impact becomes really significant is when they then acquire access to thousands of other machines—typically misconfigured webservers—through which almost anyone can funnel attack traffic. This extra layer of machines usually hides the true source of an attack from the target. But, they couldn’t evade Scholl and his team.
Scholl's group began monitoring Anonymous Sudan with AWS's internal threat intelligence tool MadPot in June 2023. Previous to that time, Anonymous Sudan was not as public about their attacks and would be active for short periods of time and then go quiet. With the help of the threat intelligence tools like MadPot, Scholl and his team were able to identify the actual hosting provider infrastructure which Anonymous Sudan used to host their proxy driver infrastructure to launch attacks. Scholl and his team collaborated with various hosting providers to notify them when they observed these proxy drivers in their networks launching attacks. The DOJ worked in parallel.
Digital mercenaries
Though Anonymous Sudan often billed itself as hacktivists, the boastful messages on their Telegram channels showed they were really digital mercenaries. Criminal groups and other bad actors purchase services from groups like Anonymous Sudan to shut down websites or infrastructure systems. In fact, the market has become so sophisticated that groups like Anonymous Sudan will sometimes offer "customers" pricing tiers, and even refunds, if the attack doesn’t have the desired result.
Unfortunately, these attacks are not unique or infrequent, so they need to be handled in a scalable way. AWS threat intelligence capabilities like MadPot enable AWS to automatically generate takedown requests to hosting providers and domain registrars to disrupt groups launching DDoS attacks, like Anonymous Sudan. In the last 12 months, AWS teams have requested more than 2,500 hosting providers and domain registrars take down more than 80,000 distinct hosts and domains.
Read the Press Release published by the U.S. Attorney's Office, Central District of California.
Learn more about how AWS security tracks the cloud’s biggest security threats and helps shut them down.
Trending news and stories