In December of 2023, for instance, Anonymous Sudan took OpenAI’s ChatGPT offline with a sustained series of DDoS attacks in response to the company’s executive Tal Broda vocally supporting the Israel Defense Forces’ missile attacks in Gaza. “More! No mercy! IDF don’t stop!” Broda had written on X over a photo of a devastated urban landscape in Gaza, and in another post denied the existence of Palestine.
“We will continue targeting ChatGPT until the genocide supporter, Tal Broda, is fired and ChatGPT stops having dehumanizing views of Palestinians,” Anonymous Sudan responded in a Telegram post explaining its attacks on OpenAI.
Still, Anonymous Sudan’s true goals haven’t always seemed entirely ideological, Akamai’s Seaman says. The group has also offered to sell access to its DDoS infrastructure to other hackers: Telegram posts from the group as recently as March offered the use of its DDoS service, known as Godzilla or Skynet, for $2,500 a month. That suggests that even its attacks that appeared to be politically motivated may have been intended, at least in part, as marketing for its moneymaking side, Seaman argues.
“They seem to have thought, ‘We can get involved, really put a hurting on people, and market this service at the same time,’” Seaman says. He notes that, in the group’s anti-Israel, pro-Palestine focus following the October 7 attacks, “there’s definitely an ideological thread in there. But the way it weaved through the different victims is something that maybe only the perpetrators of the attack fully understand.”
At times, Anonymous Sudan also hit Ukrainian targets, seemingly partnering with pro-Russian hacker groups like Killnet. That led some in the cybersecurity community to suspect that Anonymous Sudan was, in fact, a Russia-linked operation using its Sudanese identity as a front, given Russia’s history of using hacktivism as false flag. The charges against Ahmed and Alaa Omer suggest that the group was, instead, authentically Sudanese in origin. But aside from its name, the group doesn’t appear to have any clear ties to the original Anonymous hacker collective, which has been largely inactive for the last decade.
Aside from its targeting and politics, the group has distinguished itself through a relatively novel and effective technical approach, Akamai’s Seaman says: Its DDoS service was built by gaining access to hundreds or possibly even thousands of virtual private servers—often-powerful machines offered by cloud services companies—by renting them with fraudulent credentials. It then used those machines to launch so-called layer 7 attacks, overwhelming web servers with requests for websites, rather than the lower-level floods of raw internet data requests that DDoS hackers have tended to use in the past. Anonymous Sudan and the customers of its DDoS services would then target victims with vast numbers of those layer 7 requests in parallel, sometimes using techniques called “multiplexing” or “pipelining” to simultaneously create multiple bandwidth demands on servers until they dropped offline.
For at least nine months, the group’s technical power and brazen, unpredictable targeting made it a top concern for the anti-DDoS community, Seaman says—and for its many victims. “There was a lot of uncertainty about this group, what they were capable of, what their motivations were, why they targeted people,” says Seaman. “When Anonymous Sudan went away, there was a spike in curiosity and definitely a sigh of relief.”
The Justice Department’s decision to level a criminal charge against Ahmed Omer that could lead to a life sentence for a denial-of-service attack may seem haphazard, given that state-sponsored cyberattacks and ransomware have often caused far more serious damage to health care networks, says Josh Corman, a researcher at the Institute for Security and Technology who has long focused on health care-targeted hacking. Corman says he’s nonetheless encouraged to see prosecutors recognize that even crude cyberattacks can have serious—and even lethal—effects on victims.
“Yes, denial-of-service attacks can degrade and deny patent care to cause loss of life,” says Corman. “While this is the first, and it may seem arbitrary until we get more details, it could be heartening to see that we understand the outsize consequences of these attacks.”
