The social media platform X experienced sporadic outages on Monday, a situation that its owner Elon Musk attributed to a “massive cyberattack.” In an initial post on X, Musk claimed that the attack was carried out by “either a large, coordinated group and/or a nation-state.” Shortly thereafter, a pro-Palestinian group called Dark Storm Team took responsibility for the attacks in a Telegram post. However, later that day, Musk stated in an interview with Fox Business Network that the attacks originated from Ukrainian IP addresses.
Experts in web traffic analysis who observed the incident on Monday were quick to point out that X appeared to be facing distributed denial-of-service (DDoS) attacks. Such attacks involve a coordinated network of computers, known as a “botnet,” bombarding a target with excessive traffic to overwhelm its systems. Typically, botnets are globally distributed, generating traffic from diverse geographical IP addresses, and often include methods to obscure their true control locations.
“It’s crucial to understand that IP attribution alone is not definitive. Attackers often use compromised devices, VPNs, or proxy networks to mask their actual origin,” explained Shawn Edwards, chief security officer at the connectivity firm Zayo.
X did not respond to WIRED’s requests for comments regarding the attacks.
Multiple researchers informed WIRED that they identified five separate attacks of varying durations against X’s infrastructure, with the first starting early Monday morning and a final surge taking place in the afternoon.
The internet intelligence team at Cisco’s ThousandEyes provided WIRED with a statement, noting, “During the disruptions, ThousandEyes detected network conditions typical of a DDoS attack, including notable traffic loss issues that impeded users from accessing the application.”
DDoS attacks are commonplace, and virtually every modern online service experiences them regularly, requiring proactive defenses. As Musk himself remarked on Monday, “We get attacked every day.” So, why did these DDoS attacks lead to outages for X? Musk suggested it was due to “a lot of resources” being involved, but independent security researcher Kevin Beaumont and others pointed out evidence that some of X’s origin servers, which are responsible for handling web requests, were inadequately secured behind the company’s Cloudflare DDoS protection and were publicly exposed. Consequently, attackers were able to target them directly. X has since fortified these servers.
“The botnet was specifically targeting the IP and several others on that X subnet yesterday. It’s a botnet composed of cameras and DVRs,” Beaumont stated.
A few hours after the last attack ceased, Musk mentioned in an interview with Fox Business host Larry Kudlow, “We’re not exactly sure what happened, but there was a massive cyberattack aimed at bringing down the X system using IP addresses coming from the Ukraine region.”
Musk has previously ridiculed Ukraine and its president, Volodymyr Zelensky, several times since Russia’s invasion of its neighbor in February 2022. A significant donor to President Donald Trump, Musk now leads the so-called Department of Government Efficiency, or DOGE, which has significantly downsized the US federal government and workforce in recent weeks. Meanwhile, the Trump administration has recently improved relations with Russia and shifted US support away from Ukraine. Musk’s involvement in these geopolitical dynamics also extends to his other company, SpaceX, which provides the satellite internet service Starlink relied upon by many Ukrainians.
DDoS traffic analysis can dissect the stream of junk traffic in various ways, including identifying the countries with the most IP addresses involved in an attack. One researcher from a well-known firm, who wished to remain anonymous due to restrictions on speaking about X, noted that Ukraine did not even appear in the breakdown of the top 20 IP address origins associated with X’s attacks.
If Ukrainian IP addresses did play a role in the attacks, experts assert that this fact alone is not particularly significant.
“What we can derive from the IP data is the geographic distribution of traffic sources, which may provide insights into the composition of the botnet or the infrastructure used,” explains Zayo’s Edwards. “However, we cannot definitively conclude the actual identity or intent of the perpetrator.”
Additional reporting by Zoë Schiffer.
