Best botnet ad? An attack on OpenAI


Anonymous Sudan supposedly hit ChatGPT at almost the same time it introduced a new botnet. Experts say the gang is commercializing to enhance operational resources.

It doesn’t take an SEO expert to see that everything AI is trending. Most of the world’s tech journalists just spent a weekend rummaging through the Machiavellian intrigues surrounding Sam Altman.

Just a year ago, few would have cared about the boardroom gossip of OpenAI, the non-profit behind ChatGPT, but now its the talk of the town. Hacktivists are likely fully aware of the latest media trends, as well.

Coincidentally, the first wave of attacks against OpenAI from the Russia-allied Anonymous Sudan (AS) took place in early November. A day after OpenAI acknowledged a distributed denial-of-service (DDoS) attack, AS unveiled its novel for-hire botnet dubbed SkyNet.

While OpenAI declined to specify who launched the DDoS against ChatGPT, cybersecurity pundits quickly put two and two together. The shift towards commercialization signals a “significant enhancement in AS’s operational resources,” Nataliia Zdrok, senior threat intelligence analyst at Binary Defense, says.

“Not only does this mean that Anonymous Sudan now has sufficient resources to launch their attacks, but it also indicates their ability to monetize these capabilities by selling DDoS services,” Zdrok told Cybernews.

Two birds with one stone

November marked two significant attacks claimed by AS: the targeting of OpenAI and a supposed attack against the so-called “backbone of the modern internet,” Cloudflare.

While AS’s operational motivations are hardly clear cut, the collective does present itself as anti-western, pro-Russian, and, at least since October 7th, anti-Israel.

The gang specifically mentioned OpenAI on several of its Telegram posts, blaming the non-profit for plans to invest in Israel as well as the general possibility that AI could be used in weapon making and intelligence gathering.

While AS has not explicitly stated why it targeted Cloudflare, the company does fall under the catch-all umbrella of “unfriendly Western businesses.” On the other hand, what’s a better promo for a newly launched botnet than a successful attack against the website of a leading DDoS protection company?

“Anonymous Sudan’s claims of discovering a vulnerability in Cloudflare’s protection services and criticisms regarding the company’s capacity to protect its clients indicate a strategy to reduce such companies’ credibility and reliability,” Zdrok said.

Danger zone

By introducing the SkyNet bot, AS could be revving up its engines. The botnet is supposedly layer-seven capable, which means that instead of swarming the network with dumb requests, it targets the outermost communications layer, which specifies protocols and interface methods for data exchange.

Targeting Cloudflare, an industry-leading anti-DDoS solution, and OpenAI, a ‘hard target’ due to its expected volumes of legitimate traffic that need to be managed, may point to an increase in AS’s capabilities, Tim West, head of threat intelligence at WithSecure thinks.

“If this attack was a DDoS protection bypass, it demonstrates the ability to identify and exploit ‘chinks in the armor’ of an advanced DDoS protection service, which is over and above what we typically see with pro-Russian hacktivist groups,” West explained.

More so, the veneer of successful attacks against Cloudflare and OpenAI may catch the eyes of individuals willing to pay several hundred dollars for access to botnets that AS advertises on its Telegram channel.

That’s bad news for the gangs’ targets, as AS is highly unlikely to rent the infrastructure to ideological enemies, Craig Watt, a threat intelligence analyst at Quorum Cyber, thinks.

“Based on the fact that the emergence of SkyNet has coincided with the current kinetic warfare efforts in the Middle East, as long as these geopolitical tensions persist, Anonymous Sudan operations will almost certainly continue to increase in frequency and notoriety,” Watt said.

Same old story

However, not everyone is convinced that AS has upped its game. Even though the volume of botnets the hacktivists employ seems to be growing, AS’s tactics are hardly evolving.

According to Chris Conrad, senior threat intelligence analyst at NETSCOUT, the group’s modus operandi is consistent with AS’s usual tactics.

“It looks like they’re sticking to their familiar tools and DDoS methods, using the SkyNet/Godzilla botnet and the usual reflection/amplification services they’ve been relying on for ages,” Conrad told Cybernews.

The gang did expand its target list, focusing on several pro-Israel organizations. However, Conrad believes the latest attacks don’t point to any strategic shifts in AS’s operations.

“In my view, it’s the same old story. These attacks are standard and have been for a while now. Sure, the size of the botnets they use might fluctuate, getting bigger or smaller over time, but that’s just how these things go,” Conrad said.

One thing that AS and its evolutionary predecessor, Killnet, are extremely good at is public relations. While taking down websites of popular services is more of a nuisance rather than a disruptive event, the gang’s choice of targets doesn’t allow the media cycle to forget about it.