Anonymous Sudan (also tracked as Skynet Stress Tester, Godzilla Botnet, Storm-1359 [Microsoft], InfraShutdown) is a hacktivism cluster of disputed origin, operationally publicly self- identifying as Sudanese hacktivism but Western analytical consensus widely treats Anonymous Sudan as a Russia-aligned operation using Sudanese identity as operational cover or false- flag rather than genuinely Sudanese hacktivism. The cluster was active from approximately January 2023 through March 2024 when FBI law-enforcement action effectively terminated cluster operations under that brand identity. The Sudanese-identity-as-false-flag analytical framing is supported by multiple operational-pattern data points: First, the cluster's primary operational language and Telegram- channel coordination patterns align with Russia-speaking organized cyber operations rather than Sudanese-Arabic-speaking patterns.

Second, operational targeting consistently aligns with Russian state foreign-policy interests (NATO-country government targeting, Western corporate technology targeting, opposition to Western sanctions on Russia) rather than Sudanese political interests. Third, cluster public messaging has explicitly endorsed Killnet (already covered as killnet.yaml) and broader Russia-aligned hacktivism narratives. Fourth, cluster operational sophistication and tooling capability substantially exceeds what would be operationally plausible for Sudanese hacktivism originating in a country with limited cybercrime infrastructure during a period of active civil war (April 2023+).

The Microsoft 365 attacks alone (June 2023) required operational capability that Sudanese hacktivism originating in Sudan during active civil-war period would not plausibly possess. Modern Western vendor consensus (Microsoft Storm-1359 naming, CrowdStrike, Mandiant, Recorded Future, others) treats Anonymous Sudan as Russia-aligned despite the Sudanese-identity-marketing. The March 2024 FBI law-enforcement action complicates the analytical framing.

• Ahmed Salah Yousif Omer (born approximately 1999, alleged cluster operator and Skynet Stress Tester operator)
• Alaa Salah Yusuf Omer (born approximately 1996, alleged cluster operator) The indictments charged the brothers with conspiracy to damage protected computers and additional related charges carrying maximum sentences of life imprisonment. The FBI also disrupted Anonymous Sudan operational infrastructure including the Skynet Stress Tester DDoS-for-hire commercial service that operated alongside the cluster's hacktivism activity. The arrests effectively terminated Anonymous Sudan operations under that brand identity. The arrests complicate the analytical framing of cluster origin , at least some cluster operators were genuinely Sudanese individuals, though operational targeting and characteristics align with Russia-aligned hacktivism, suggesting Russia-aligned operational coordination or financial sponsorship of Sudanese operators rather than direct Russian-operator cluster identity. The analytical framing remains operationally complex. The cluster's most operationally consequential operation was the June 2023 Microsoft 365 + Outlook + OneDrive sustained DDoS attacks producing operational service disruption for Microsoft 365 customers globally for multiple hours across multiple incident windows. Microsoft publicly confirmed the attacks in a June 16, 2023 disclosure and tracked the cluster under the Storm-1359 identifier. The Microsoft 365 attacks were operationally consequential beyond the immediate service disruption because they demonstrated Anonymous Sudan operational capability to impact one of the most operationally resilient cloud-service providers globally, Microsoft 365 is engineered for substantial DDoS resilience, and operational disruption of that scale required substantial cluster operational capability.

• Scandinavian Airlines SAS (February 2023, Nordic-country impact)
• X (Twitter) (August 2023, brief service disruption)
• Cloudflare and Tumblr (October 2023, operationally significant because Cloudflare is itself a major DDoS protection vendor)
• Israeli targeting during October 2023 Hamas-Israel war period (operations against Israeli government, financial- services, healthcare, media, and critical-infrastructure targets, with public messaging framing operations as anti- Israeli solidarity-with-Palestinians hacktivism despite operational tradecraft remaining consistent with earlier Russia-aligned-targeting patterns) Operationally the cluster operated Skynet Stress Tester, a DDoS-for-hire commercial service apparently operating alongside hacktivism activity providing paid DDoS-attack capability to third-party customers in addition to cluster-selected hacktivism targeting. The Skynet Stress Tester operational model represents cluster monetization diversification beyond pure-hacktivism politically-motivated operations and is operationally distinctive among publicly-tracked hacktivism operations. The custom "Godzilla botnet" provided additional operational infrastructure alongside conventional DDoS tooling. A handful of operational notes: First, the cluster represents the central reference case for analyzing false-flag hacktivism operations. The combination of ostensibly-Sudanese branding with operationally Russia-aligned targeting and capability illustrates the analytical challenges of attributing contemporary hacktivism operations where operational claims and operational tradecraft do not align. Defender threat-modeling for contemporary hacktivism should treat self-claimed cluster identity as operationally distinct from analytically-attributable cluster origin. Second, the cluster represents one of the relatively few major contemporary hacktivism operations effectively terminated by Western law-enforcement action. The rapid disruption and named- individual attribution outcome (Ahmed Salah + Alaa Salah arrests March 2024) was operationally unusual for hacktivism operations , most contemporary hacktivism operations (Killnet, NoName057(16), and others) have remained operationally resilient despite sustained Western law-enforcement pressure because cluster administrators are protected by Russian jurisdiction. Anonymous Sudan's Sudanese-national operator base was operationally accessible to Western law-enforcement in ways that Russia-based cluster administrators are not. Third, the cluster's combination of hacktivism activity with DDoS-for-hire commercial operations (Skynet Stress Tester) represents an analytically interesting operational-doctrine data point about contemporary hacktivism cluster monetization diversification. The pattern suggests that hacktivism operations can blur into for-profit cybercrime, complicating clean analytical separation between hacktivism and cybercrime cluster categories. Fourth, the cluster's Microsoft 365 attack (June 2023) represents one of the most operationally consequential single hacktivism- attributed cyber operations in the publicly-tracked record. The attack demonstrated that contemporary hacktivism can produce operational service disruption at the major-cloud-provider scale previously associated with state-aligned APT operations. Defender threat-modeling for cloud-service providers should treat hacktivism-tier DDoS as meaningful threat category requiring substantial operational resilience engineering.