U.S. Indicts 2 Linked to Oct. 7 Cyberattack on Israeli Warning System
It was early morning on Oct. 7, 2023, and Hamas fighters had just breached the Israeli border, when Ahmed Omer, a young Sudanese man with an aptitude for computers, launched a different kind of attack.
Sitting at a computer, he mounted a long-distance cyberassault on the online early warning systems used in Israel to alert citizens to danger. The systems were briefly disabled, preventing potentially lifesaving warnings from reaching Israelis about Hamas’s deadly assault, in which about 1,200 people were killed and more than 200 abducted.
That was the case made against Mr. Omer and his brother, Alaa Omer, in a criminal indictment unsealed in California this week. “This was the most dangerous cyber group in terms of DDoS attacks in the world,” E. Martin Estrada, the United States Attorney for the Central District of California, said in a call with reporters.
The brothers are accused of running a group called Anonymous Sudan, which for the year it existed launched as many as 35,000 cyberassaults known as distributed denial of service, or DDoS, attacks. The attacks disrupted websites belonging to government agencies, including the F.B.I. and Justice Department, and to news agencies, such as The Washington Post and CNN, according to the indictment.
They also attacked hospitals in various countries.
The indictment outlines in detail actions against the United States, Israel and a number of other countries, including Denmark, France and Sweden. The California attorney’s office claims jurisdiction because the operation attacked American entities.
In February, the brothers shut down critical computer systems belonging to the Cedars-Sinai hospital in Los Angeles, causing emergency services to temporarily divert patients to other hospitals, according to the indictment. The brothers, who have been arrested and are in custody in an unspecified country, claimed at the time that the attack was in retaliation for Israel’s bombing of hospitals in Gaza.
“Bomb our hospitals in Gaza, we shut down yours too, eye for eye,” they wrote on Telegram, the messaging app.
Their actions were so damaging, and potentially life-threatening, that prosecutors have included one charge against Ahmed Omer that carries a maximum sentence of life in prison, the first time the United States has threatened a cybercriminal with such punishment, according to Mr. Estrada.
“When you’re attacking hospitals, you’re putting lives in jeopardy, and this one certainly put lives in jeopardy,” Mr. Estrada said in the call with reporters.
The attacks on Israel were perhaps the most dramatic and damaging done by Anonymous Sudan, officials said.
In the hour after Hamas fighters launched their attack, first with rocket fire and then by breaching the Israeli border on foot and by paraglider, Anonymous Sudan targeted two private companies that provide online applications designed to alert Israeli users to danger.
A representative from one application, Tzofar – Red Alert, confirmed that the company had “suffered from a major DDoS attack to our services” in the early hours of Oct. 7, which made it difficult to access the company website. Users continued to receive alerts to the mobile app without interruption, said the company representative, who requested anonymity to discuss internal company matters.
“We are currently targeting some critical endpoints in the alert systems of Israel,” Anonymous Sudan posted to its Telegram channel on Oct. 7. “Glory to the Palestinian Resistance, we are with you.”
The group also targeted The Jerusalem Post, according to the indictment. Starting the morning of Oct. 8, the Israeli English-language daily reported in an online post that “multiple cyber attacks” caused “our site to crash.”
The indictment gives no indication that the brothers coordinated with members of Hamas during the attack. Only a few senior Hamas leaders knew the full extent of the operation before it began.
But the speed with which Anonymous Sudan responded — the first cyber attack on the alert system came less than 30 minutes after the border was breached — underscored the skill and speed of its operation, experts said.
A group calling itself Anonymous Sudan appeared on the Telegram messaging app in January 2023. Despite the name, cybersecurity researchers long believed that the group served as a front for Russian cybercriminals.
For a time, the group posted in the Russian language. And within a month of its creation, Anonymous Sudan announced a partnership with REvil and Killnet, two of the most prominent Russian cybercriminal groups, and took part in joint attacks on Ukrainian computer systems.
Eventually, the group began publishing comments in Arabic and choosing targets that seemed to reflect a pan-Islamist viewpoint, said Ian Gray, the vice president for cyberthreat intelligence operations at Flashpoint, a cybersecurity company. Mr. Gray said that there was no indication that Anonymous Sudan had any connection to state actors, though the Russian cybercriminal groups with whom the group interacted have ties to Russia’s security services.
“Any overlap between Anonymous Sudan and pro-Kremlin threat actors appears to be ideological and not based on national origin,” Mr. Gray said.
It is not clear when the brothers might be extradited to the United States for trial, if ever. Mr. Estrada said that they were in custody outside the United States and had been interrogated by the F.B.I. He would not say the country where they were being held.
The group’s attacks against Israel did not begin on Oct. 7. Earlier in the year, Anonymous Sudan launched attacks on a utilities provider, on the Israeli military and on the country’s Supreme Court, according to the indictment and to cybersecurity researchers who have followed the group.
In May 2023, according Flashpoint, the group launched an attack on Israel’s Iron Dome defense system at the time of a rocket attack from Gaza. In that attack, 16 rockets were able to get past Israeli defenses, a larger than normal number, Flashpoint said in an internal report sent to The New York Times.
In one of their messages on Telegram from that time, Anonymous Sudan warned that it would coordinate with Hamas in future attacks.
“We are now playing with Israel again,” the group wrote. “The strong strikes will be when there is a missile attack from Gaza.”