Anonymous Sudan claims attacks on ChatGPT and Cloudflare.
N2K logoNov 13, 2023

DDoS, an easily mounted nuisance, remains the hacktivist auxiliaries' weapon of choice.

Anonymous Sudan claims attacks on ChatGPT and Cloudflare.

Bloomberg reports that Anonymous Sudan claimed responsibility for distributed denial-of-service (DDoS) attacks that intermittently interrupted OpenAI's ChatGPT last week. The Russian hacktivist auxiliary cited OpenAI's Israeli investments as justification for the operation, thus posing as a more-or-less Islamist group instead of the Kremlin front it is.

Anonymous Sudan's rationale (as it would have the world understand it).

Anonymous Sudan offered an explanation in its Telegraph channel for the attack on OpenAI.

"Some reasons why we targeted OpenAI and ChatGPT :-

  • "OpenAI's cooperation with the occupation state of Israel and the CEO of OpenAI saying he's willing to invest into Israel more, and his several meetings with Israeli officials like Netanyahu, as Reuters reported.
  • "AI is now being used in the development of weapons and by intelligence agencies like Mossad, and Israel also employs AI to further oppress the Palestinians.
  • "OpenAI is an American company, and we still are targeting any American company 
  • "ChatGPT has a general biasness towards Israel and against Palestine as it has been exposed in twitter, in general there's huge bias of the model towards some topics which has to be fixed"

The group also claimed responsibility for DDoS attacks against Cloudflare. CyberDaily quotes Anonymous Sudan's Telegram channel: "“Cloudflare is strongly down by skynet / Godzilla-Botnet / AnonymousSudan.” Skynet is a DDoS-for-hire operation. Cloudflare quickly restored normal operations.

DDoS is popular among hacktivists and hacktivist auxiliaries.

Jeremy Ventura, director of security strategy & field CISO at API security company, ThreatX, commented on the recent prominence of distributed denial-of-service attacks. “In recent weeks, we have seen an uptick in observed DDoS attacks against organizations' applications and APIs, reaching unprecedented levels, such as 200-400 RPS (requests per second). This signals that the threat landscape and risk for organizations have reached a new era," he wrote. "Historically, we have seen nation-states and other hacking affiliates launch these types of attacks against enemies who are in opposition - referring to claims via Anonymous Sudan claiming the attack. It's also important to note this attack may have been timed with the recent launch of GPT-4 Turbo. This should be a sounding alarm for all organizations that DDoS attacks can immensely impact everyone and anyone. Organizations can recover within hours, if not days, from a DDoS attack with the right application and API protections and remediation plans in effect.”

Why AI services may be attractive to DDoS operators.

Rahul Pawar, Global Vice President, Security GTM & CTO, GSS at Commvault, sees this as another case of data being attractive to attackers. “While every company is being attacked, AI Companies are treasure troves as they have access to a lot of valuable data," Pawar said. "The attack in this early stage of AI is aimed to tarnish the image of AI. DDos has become more sophisticated and ironically uses AI to further sophisticate the botnet attack modules. Multiple layers, web application firewalls, load balancers, and identifying the attack traffic are key ways to stay ahead of this. Most of these techniques are already in use by public cloud companies, and ChatGPT will have to develop mitigation strategies. This will be one of many such attacks they will have to fend off.” – Rahul Pawar, Global Vice President, Security GTM & CTO, GSS at Commvault.

Heather Choi, Application Security Engineer at LogRhythm, argues that the attacks should motivate organizations to look to their defenses. “Open AI has attributed the outage across its API and ChatGPT services to Distributed Denial of Service (DDoS) attacks. OpenAI’s periodic outages and abnormal traffic reflect the pattern that threat actors use to initiate attack floods. OpenAI addressed multiple outages this week alone with elevated Dall-E error rates Monday, partial ChatPT outages Tuesday, and API outages on Wednesday," she wrote in emailed comments. “Anonymous Sudan, a Russian state-sponsored hacking group, claimed the attacks on Wednesday, confirming the use of the SkyNet botnet to support this Layer7 DDoS attack. Since launching in January of 2023, Anonymous Sudan has claimed attacks across industries, targeting global organizations and agencies. Between January 1 to June 20, the threat actors accounted for 63% of DDoS attacks attributed to KillNet. For organizations to effectively defend themselves against these evolving DDoS attacks, it is imperative to take a proactive cybersecurity approach. This includes reducing attack surfaces, caching (such as use the of a CDN), incorporating Anycast routing, rate limiting, and real-time threat monitoring. Tools such as a Web Application Firewall (WAF) and leveraging a DDoS mitigation provider are among the most effective to safeguard against the growing sophistication of these DDoS attacks.”

ColorTokens Ran Shenhar described the implications of the personalized AI market. “OpenAI’s latest introduction of the personalized AI marketplace, while of course generally exciting and positive, also increases the likelihood of bad actors trying to create and publish malicious apps, that will be used as another attack vector to steal user online identities – we have seen that happen with other social sites, so we should anticipate the same with OpenAI and any other popular AI LLM. Combine that with ‘prompt hacking’ practices which manipulate the AI to deliver potentially harmful content (bypassing the AI internal content moderation), and the path to producing a polished, personalized, attack is easier and faster for the attacker. The scalability of AI means that attackers can deploy these techniques on a much larger scale, targeting a wider array of potential victims simultaneously. It will be imperative for organizations to focus on user education and awareness to ensure that their employees are equipped to recognize and resist these increasingly convincing social engineering attacks.” 

Motivation for an attack may be political or even emotional.

Carlos Morales, SVP of Solutions at Vercara, discussed the variety of motivations that can play into a cyberattack. “The recent reported DDoS attack on ChatGPT once again highlights the point that any organization, even if they don't lend themselves to clear financial motivation and don't have a pronounced political agenda, can find themselves in the cross-hairs of a politically or emotionally motivated DDoS attack. Companies can reduce risk and prevent downtime when an attack does happen by following best current practices including:

  • "Annual evaluation of current DDoS defense strategy and partners.
  • "Audit of DDoS processes, runbooks, and provisioning at minimum 2 times per year and every time that there is a major change in your infrastructure or application environment (new applications, acquisitions, move to the cloud, etc.).
  • "Testing your DDoS defenses at least 2 times per year.
  • "Evaluating internal and external communication strategies for DDoS attacks and include them in annual Business Continuity Planning tests.
  • "Keeping informed on current threat landscape”