LameDuck: A Threat Actor Mixing Politics and Profit with Over 35,000 DDoS Attacks
In a recent report, Cloudflare reveals details about the threat actor LameDuck (Anonymous Sudan), a pro-Islamic, anti-Western group responsible for over 35,000 DDoS attacks against targets worldwide. Active since January 2023, LameDuck has managed a large-scale DDoS operation known as the Skynet Botnet, targeting high-profile sectors and leveraging cloud infrastructure in ways that challenge conventional defenses.
The U.S. Department of Justice (DOJ) recently unsealed an indictment against two Sudanese brothers for orchestrating LameDuck’s operations. According to Cloudflare, this group is known for “launching thousands of DDoS attacks against a wide array of global targets across critical infrastructure,” such as hospitals, banks, and government agencies. Their tactics were not limited to politically motivated attacks; they also ran DDoS-for-hire services, allowing customers to conduct attacks for a fee.
Contrary to traditional botnets, LameDuck’s Skynet Botnet is a Distributed Cloud Attack Tool (DCAT) designed to distribute attacks through a unique, multi-component system. As Cloudflare explains, Skynet consists of “
-
A command and control (C2) server
-
Cloud-based servers that receive commands from the C2 server and forward them to open proxy resolvers
-
Open proxy resolvers run by unaffiliated third parties, which then transmit the DDoS attack traffic to LameDuck targets”
This setup allows LameDuck to amplify attack traffic while avoiding conventional botnet infrastructure, making it more challenging to trace.
LameDuck’s operations blend financial motives with political ideology, creating a complex narrative. While the group has publicly championed anti-Western and pro-Sudanese rhetoric, it has also targeted organizations for financial gain through DDoS extortion. In one instance, the group attacked Microsoft and demanded $1 million to halt operations, and in another, Scandinavian Airlines faced escalating ransom demands reaching $3 million. Cloudflare’s report suggests that LameDuck may be using ideological messaging to bolster its reputation while primarily focusing on profit.
LameDuck’s choice of targets reflects both political and strategic priorities, with attacks often aligned with high-impact events. For instance, they targeted Israeli organizations following the Hamas attacks in October 2023 and launched DDoS attacks on Swedish organizations, purportedly in response to Quran burnings. Additionally, LameDuck’s “attacks against Kenyan organizations could be explained by the increasingly tense relations between the Sudanese government and Kenya”.
The group’s attack methods reveal calculated tactics, such as launching attacks during high-demand periods for maximum disruption and targeting resource-intensive endpoints within infrastructures to increase the strain on systems. These strategies, including subdomain flooding and the “blitz approach,” make LameDuck’s campaigns particularly disruptive.
The revelation of LameDuck’s operations exposes vulnerabilities in modern cyber defenses, especially regarding DDoS protection. Cloudflare’s report highlights how the group’s use of cloud servers and open proxies for anonymity underscores the need for advanced detection techniques that can adapt to this decentralized approach.
