“We will continue to attack ChatGPT until genocide supporter Tal Broda is fired and ChatGPT stops holding dehumanizing views on Palestinians,” Anonymous Sudan responded in a Telegram post explaining its attacks on OpenAI.
Still, Anonymous Sudan’s true goals haven’t always seemed entirely ideological, says Akamai’s Seaman. The group has also offered to sell access to its DDoS infrastructure to other hackers: Telegram posts from the group in March offered use of its DDoS service, known as Godzilla or Skynet, for $2,500 a month. That suggests that even his attacks that appeared to be politically motivated may have been intended, at least in part, as marketing for his lucrative side, Seaman argues.
“They seem to have thought, ‘We can get involved, really hurt people, and market this service at the same time,’” Seaman says. He notes that, in the group’s anti-Israel and pro-Palestinian approach following the October 7 attacks, “there is definitely an ideological thread there. But the way it was interwoven between the different victims is something that perhaps only the perpetrators of the attack fully understand.”
Anonymous Sudan also occasionally attacks Ukrainian targets, apparently partnering with pro-Russian hacking groups such as Killnet. That led some in the cybersecurity community to suspect that Anonymous Sudan was, in fact, a Russian-linked operation using its Sudanese identity as a front, given Russia’s history of using hacktivism as a false flag. The charges against Ahmed and Alaa Omer suggest that the group was instead of authentic Sudanese origin. But aside from its name, the group does not appear to have any clear links to the original Anonymous hacking collective, which has been largely dormant for the past decade.
Aside from its goals and policy, the group has distinguished itself with a relatively novel and effective technical approach, says Akamai’s Seaman: Its DDoS service was created by gaining access to hundreds or possibly even thousands of virtual private servers, often powerful machines offered by cloud services companies, renting them with fraudulent credentials. It then used those machines to launch so-called Layer 7 attacks, overwhelming web servers with website requests, rather than the avalanches of lower-level raw Internet data requests that DDoS hackers have tended to use in the past. Anonymous Sudan and clients of its DDoS services would then target victims with a large number of those Layer 7 requests in parallel, sometimes using techniques called “multiplexing” or “pipelining” to simultaneously create multiple bandwidth demands on the servers until they went offline.
For at least nine months, the group’s technical power and its brazen, unpredictable goals made it a major concern of the anti-DDoS community, Seaman says, and its many victims. “There was a lot of uncertainty about this group, what they were capable of, what their motivations were, why they attacked people,” Seaman says. “When Anonymous Sudan disappeared, there was an increase in curiosity and definitely a sigh of relief.”
“This is a massive number of attacks,” Estrada said. “We are determined to hold cybercriminals accountable for the serious harm they cause.”
This is a developing story. Please check back for updates.