In December of 2023, for instance, Anonymous Sudan took OpenAI’s ChatGPT offline with a sustained series of DDoS attacks in response to the company’s executive Tal Broda vocally supporting the Israel Defense Forces’ missile attacks in Gaza. “More! No mercy! IDF don’t stop!” Broda had written on X over a photo of a devastated urban landscape in Gaza, and in another post denied the existence of Palestine.
“We will continue targeting ChatGPT until the genocide supporter, Tal Broda, is fired and ChatGPT stops having dehumanizing views of Palestinians,” Anonymous Sudan responded in a Telegram post explaining its attacks on OpenAI.
Still, Anonymous Sudan’s true goals haven’t always seemed entirely ideological, Akamai’s Seaman says. The group has also offered to sell access to its DDoS infrastructure to other hackers: Telegram posts from the group as recently as March offered the use of its DDoS service, known as Godzilla or Skynet, for $2,500 a month. That suggests that even its attacks that appeared to be politically motivated may have been intended, at least in part, as marketing for its moneymaking side, Seaman argues.
“They seem to have thought, ‘We can get involved, really put a hurting on people, and market this service at the same time,’” Seaman says. He notes that, in the group’s anti-Israel, pro-Palestine focus following the October 7 attacks, “there’s definitely an ideological thread in there. But the way it weaved through the different victims is something that maybe only the perpetrators of the attack fully understand.”
At times, Anonymous Sudan also hit Ukrainian targets, seemingly partnering with pro-Russian hacker groups like Killnet. That led some in the cybersecurity community to suspect that Anonymous Sudan was, in fact, a Russia-linked operation using its Sudanese identity as a front, given Russia’s history of using hacktivism as false flag. The charges against Ahmed and Alaa Omer suggest that the group was, instead, authentically Sudanese in origin. But aside from its name, the group doesn’t appear to have any clear ties to the original Anonymous hacker collective, which has been largely inactive for the last decade.
Aside from its targeting and politics, the group has distinguished itself through a relatively novel and effective technical approach, Akamai’s Seaman says: Its DDoS service was built by gaining access to hundreds or possibly even thousands of virtual private servers—often-powerful machines offered by cloud services companies—by renting them with fraudulent credentials. It then used those machines to launch so-called layer 7 attacks, overwhelming web servers with requests for websites, rather than the lower-level floods of raw internet data requests that DDoS hackers have tended to use in the past. Anonymous Sudan and the customers of its DDoS services would then target victims with vast numbers of those layer 7 requests in parallel, sometimes using techniques called “multiplexing” or “pipelining” to simultaneously create multiple bandwidth demands on servers until they dropped offline.