In December 2023, the hacker group Anonymous Sudan successfully disrupted OpenAI’s ChatGPT using a series of sustained DDoS attacks. This action was reportedly in retaliation against comments made by Tal Broda, an executive at OpenAI, who had publicly supported the Israel Defense Forces’ missile strikes in Gaza. Broda had posted messages online expressing support for the attacks, alongside an image depicting destruction in Gaza, and in another post, he denied the existence of Palestine.
Anonymous Sudan issued a statement on Telegram explaining their attacks on OpenAI, stating they would continue until Tal Broda was removed from his position and ChatGPT ceased to present what they perceived as dehumanizing views of Palestinians.
Despite the ideological stance claimed by the group, some cybersecurity experts, such as Akamai’s Seaman, suggest that Anonymous Sudan’s goals may not be entirely ideological. The group has offered to sell access to its DDoS infrastructure, which they call Godzilla or Skynet, for $2,500 per month. Seaman argues this suggests that even politically motivated attacks might serve as marketing for their profit-driven activities.
Seaman noted that while the group showed an anti-Israel and pro-Palestine stance, especially after the October 7 incidents, the varied targets of their attacks might indicate a complexity understood only by those who carried out the operations.
Anonymous Sudan also targeted entities in Ukraine, appearing to collaborate with pro-Russian groups like Killnet. This led to suspicions within the cybersecurity community that the group could be a Russia-linked entity disguised under a Sudanese identity. However, indictments against individuals Ahmed and Alaa Omer imply that the group is genuinely of Sudanese origin. The group does not show ties to the original Anonymous hacker collective, which has been largely inactive for the past ten years.
Technically, Anonymous Sudan has set itself apart with a novel and effective approach, according to Seaman. The group operated its DDoS service by accessing numerous virtual private servers—often powerful servers from cloud service companies—through fraudulent credentials. These machines were used to execute layer 7 attacks, which overwhelm web servers with website requests, rather than the traditional lower-level data request floods used by DDoS hackers. Anonymous Sudan and its DDoS service clients targeted victims by sending vast numbers of these requests simultaneously, employing techniques such as “multiplexing” or “pipelining” to maximize bandwidth pressure on servers until they became unresponsive.
