LameDuck Exposed: The Rise and Fall of a Prolific DDoS Botnet

Recently, the U.S. Department of Justice charged two Sudanese citizens with orchestrating cyberattacks and announced measures to dismantle the group Anonymous Sudan, also known as LameDuck. According to Cloudflare, this group has launched thousands of DDoS attacks, disrupting numerous websites and services worldwide.

The LameDuck group, operating through its proprietary cloud network called “Skynet Botnet,” carried out over 35,000 DDoS attacks between January 2023 and March 2024. The hackers offered their services “on demand,” catering to over 100 clients. In addition to their political motivations, their attacks were financially driven, as they demanded ransoms from victims to cease their assaults.

Experts observed that LameDuck’s actions often coincided with political events and targeted prominent companies and government organizations. Sectors affected included transportation, telecommunications, banking, government agencies, and media outlets. Some of the most notable attacks were directed at Israeli, Swedish, and Ukrainian organizations.

Primarily, the group operated under anti-Western and pro-Islamic slogans, drawing attention to their activities on social media and offering their services to other hacktivists. The indictment confirmed that the leaders of the group are Sudanese nationals.

Cloudflare warns that LameDuck utilized not a standard botnet of infected devices but rather rented cloud servers, which increased the attack power and complicated tracking efforts. The use of proxy servers and third-party resources further enabled the group to mask their actions.

To defend against such threats, Cloudflare recommends that companies deploy continuous DDoS protection solutions, configure Web Application Firewalls (WAF), and limit request rates to their resources. These measures can help mitigate attack impacts and safeguard critical systems from overloads.