A cyberattack that introduced down Elon Musk’s X focused servers that had been insufficiently shielded from malicious visitors, in accordance with cybersecurity analysts.
Customers of the social media platform confronted intermittent outages all through Monday, which Musk blamed on a “massive, coordinated group” or nation waging a “large cyberattack”. He didn’t present any extra specifics to bolster his declare.
Jérôme Meyer, safety researcher with Nokia Deepfield, a enterprise unit inside Nokia, stated X had been focused in a distributed denial-of-service assault, or DDoS, which floods a web site with visitors and forces it offline. Meyer stated he was in a position to observe the assault by reviewing knowledge collected by Nokia’s Deepfield, which is deployed inside telecommunications corporations and offers analytics and DDoS safety.
The waves of visitors focused specific “origin servers”, which course of and reply to incoming web requests, he stated. These servers had been weak to assault as a result of it seems they weren’t shielded behind expertise that blocks DDoS assaults, Meyer stated. They “shouldn’t be uncovered on the web”, stated Meyer, who added that one of many servers attacked on Monday was nonetheless remoted and weak to assault on Tuesday morning.
A consultant for X didn’t instantly reply to a request for remark. A professional-Palestinian “hacktivist” group known as Darkish Storm Group took duty for the assault with out offering any proof.
‘Unlocked’
Ciaran Martin, former head of the UK’s Nationwide Cyber Safety Centre, stated in a BBC radio interview on Tuesday that it “appears like X didn’t implement Cloudflare correctly”, referring to the corporate that gives DDoS safety companies. Martin additionally stated that X had “left a few of its servers in entrance of moderately than behind” Cloudflare’s safety. “It’s a bit like having 4 doorways, placing state-of-the-art locks on three of them, and leaving one unlocked,” he stated. Martin didn’t reply to a request for additional remark.
A consultant for Cloudflare didn’t instantly reply for a request for remark.
Learn: Elon Musk: Starlink ‘not allowed’ in South Africa ‘as a result of I’m not black’
David Mound, senior penetration tester at cybersecurity agency SecurityScorecard, stated most massive web sites have sturdy protections in opposition to such assaults, together with net utility firewalls and different safety applied sciences that shield their origin servers from being straight accessed through the web.
“If X’s origin servers had been uncovered or lacked satisfactory filtering, that will be a basic safety oversight,” he stated. Defending origin servers is a well-established greatest follow for any large-scale net service, Mound stated.
Musk recommended in a Fox Enterprise interview on Monday that his firm had traced IP addresses to the “Ukraine space”. Nevertheless, cybersecurity specialists have solid doubt on that declare.
The vast majority of the units used to flood X with visitors had been situated within the US, Mexico, Spain, Italy and Brazil, in accordance with Nokia’s Meyer. These units had been possible underneath the management of an attacker who might have been situated in a foreign country, hiding behind a number of layers of obfuscation to hide their true identification, he stated.
Jason Kikta, a former official with US Cyber Command, stated hackers faking the placement of net visitors in assaults that overwhelm servers is “trivial and routine”.
“The IP addresses a sufferer sees in a DDoS assault is about as significant as describing what sort of ski masks a financial institution robber was carrying,” stated Kikta, now chief data safety officer at IT automation agency Automox. “It’s a place to begin, however not terribly helpful.”
Meyer stated the assault was linked to a botnet – computer systems contaminated by malicious software program and underneath the management of a hacker – that included between 10 000 and 20 000 IP addresses. These had been related to safety cameras and community video recorders, which had been possible compromised by malicious software program, he stated.
Halving
Lots of the units used within the assault on X had been linked to a botnet referred to as “Eleven11bot”, which has beforehand carried out denial-of-service assaults in opposition to communications service suppliers and gaming internet hosting infrastructure, stated Meyer, who has been monitoring the botnet for a number of weeks.
Learn: Tesla gross sales plunge in Europe amid anti-Musk backlash
Following Musk’s acquisition of Twitter in 2022, which he later rebranded as X, greater than 100 folks engaged on safety and privateness groups left the corporate, halving the variety of personnel who had been chargeable for defending its infrastructure from cyberattacks and knowledge breaches. — Ryan Gallagher, with Jordan Robertson and Jake Bleiberg, (c) 2025 Bloomberg LP
Get breaking information from TechCentral on WhatsApp. Join right here
