Cybersecurity researchers at Cloudflare’s Cloudforce One recently identified that LameDuck’s Skynet Botnet conducted more than 35,000 DDoS attacks targeting organizations. This poses a significant threat to organizations as DDoS attacks can lead to service outages and substantial economic losses.
In January 2023, a threat group known as “Anonymous Sudan” (aka “LameDuck”) emerged. This group is operated by two brothers from Sudan and has carried out cyber attacks against various organizations using DDoS attacks, rendering services useless to legitimate users.
LameDuck’s operations have been diverse, targeting critical infrastructure across multiple continents, including airports, hospitals, telecommunications providers, and financial institutions. The threat actors behind these attacks have been observed using a dual-strategy approach, combining political hacktivism with profit-driven cybercrime.
One of the core tools used by LameDuck was DDoS-for-hire services, where they sold attack capabilities to over 100 customers worldwide. The group also carried out ransom DDoS attacks, demanding Bitcoin payments ranging from $3,500 to $3 million to stop their attacks.
LameDuck gained notoriety by using social media platforms to amplify their successful attacks against high-profile targets and collaborating with other hacktivist groups like ‘Killnet’ and ‘Turk Hack Team’. They engaged in coordinated campaigns such as “#OpIsrael” and “#OPAustralia”, showcasing their expertise in technical cyber operations and social engineering tactics.
The group successfully executed over 35,000 DDoS attacks using their advanced DCAT, employing tactics like Layer 7 attacks, HTTP GET flooding, TCP-based direct-path attacks, UDP reflection vectors, and simultaneous blitz attacks across multiple subdomains. They utilized both free and paid proxy services for anonymity and strategically timed their attacks during peak usage periods to maximize disruption.
LameDuck’s methodology involved flooding victim organizations’ web infrastructure with massive traffic volumes, combining technical expertise, strategic planning, and psychological warfare to differentiate themselves from typical hacktivist groups.
To defend against such attacks, it is recommended to enable always-on DDoS mitigation for all traffic layers, use a WAF to block malicious HTTP traffic, set rate limits to control incoming requests, cache content on a CDN to ease server load, and establish response protocols and log analysis for attacks.
Overall, the activities of LameDuck’s Skynet Botnet highlight the growing threat posed by sophisticated cybercriminals and the importance of robust cybersecurity measures to protect organizations from DDoS attacks.