48 hours on: New insights emerge on cyberattack that disrupted X

Attribution of attack to Ukraine likely to be false

Image:

Two days after the major cyberattack that caused significant outages for social media platform X, more details are emerging.

The attack, which left tens of thousands of users unable to access the platform on Monday, is believed to have been a DDoS assault. Multiple waves of disruption were reported, with users across the globe affected, according to DownDetector, a service that tracks real-time internet outages.

Elon Musk, owner of X, initially attributed the widespread disruptions to what he called a “massive cyberattack” involving substantial resources. “We get attacked every day, but this was done with a lot of resources,” Musk said, hinting that either a large, coordinated group or a nation-state may have been involved. He suggested that the attack's origin appeared to be linked to the Ukraine region.

However, new information has since surfaced, challenging the initial claims. While Musk's statement regarding the involvement of Ukraine was widely circulated, sources in the internet infrastructure industry have disputed this. According to a report from Reuters, traffic from Ukraine was minimal during the attack, and the majority of the traffic came from IP addresses in the United States, Vietnam, and Brazil.

Compromising devices worldwide

DDoS attacks are typically launched by compromising devices worldwide and directing them to flood a target system with excessive traffic, overwhelming its resources and causing outages. The geographical location of the traffic sources does not necessarily indicate the attacker’s location.

Cybersecurity experts have pointed to the increasingly sophisticated nature of DDoS attacks, where even a relatively small number of bots can have a devastating impact. In fact, Cloudflare recorded a record-breaking 5.6 Tbps DDoS attack in late 2024, which was traced to just 13,000 unique IP addresses.

One group, the Dark Storm Team, has taken credit for the attack on X. Describing itself as a pro-Palestinian hacktivist group, Dark Storm Team’s activities reportedly link back to Russia. Orange Cyberdefense, a cybersecurity firm, notes that the group has been active since September 2023, with previous attacks ranging from ransomware to data theft and DDoS, sometimes driven by financial motivations and at other times by ideological aims.

However, there are competing claims of responsibility. Other hacktivist groups, including factions of Anonymous, have also stated that they were behind the disruption.

Furthering agendas

The lines between hacktivism, state-sponsored cyberattacks, and cybercrime operations are increasingly blurred, with governments and cybercriminals using hacktivist personas to further their agendas. This complexity adds another layer of difficulty in attributing blame.

This is not the first time X has been targeted by a disruptive DDoS attack. In the past, the platform has been targeted by Anonymous Sudan, a group recently charged in the United States for developing and offering DDoS attack services.

As investigations into the attack continue, the true origins and motivations behind the disruption remain unclear.