A cyberattack that introduced down Elon Musk’s X focused servers that have been insufficiently shielded from malicious visitors, in line with cybersecurity analysts.
Customers of the social media platform confronted intermittent outages all through Monday, which Musk blamed on a “massive, coordinated group” or nation waging a “large cyberattack”. He didn’t present any extra specifics to bolster his declare.
Jérôme Meyer, safety researcher with Nokia Deepfield, a enterprise unit inside Nokia, mentioned X had been focused in a distributed denial-of-service assault, or DDoS, which floods an internet site with visitors and forces it offline. Meyer mentioned he was in a position to observe the assault by reviewing information collected via Nokia’s Deepfield, which is deployed inside telecommunications corporations and offers analytics and DDoS safety.
The waves of visitors focused specific “origin servers”, which course of and reply to incoming web requests, he mentioned. These servers have been weak to assault as a result of it seems they weren’t shielded behind expertise that blocks DDoS assaults, Meyer mentioned. They “shouldn’t be uncovered on the web”, mentioned Meyer, who added that one of many servers attacked on Monday was nonetheless remoted and weak to assault on Tuesday morning.
A consultant for X didn’t instantly reply to a request for remark. A professional-Palestinian “hacktivist” group referred to as Darkish Storm Crew took duty for the assault with out offering any proof.
‘Unlocked’
Ciaran Martin, former head of the UK’s Nationwide Cyber Safety Centre, mentioned in a BBC radio interview on Tuesday that it “seems like X didn’t implement Cloudflare correctly”, referring to the corporate that provides DDoS safety providers. Martin additionally mentioned that X had “left a few of its servers in entrance of somewhat than behind” Cloudflare’s safety. “It’s a bit like having 4 doorways, placing state-of-the-art locks on three of them, and leaving one unlocked,” he mentioned. Martin didn’t reply to a request for additional remark.
A consultant for Cloudflare didn’t instantly reply for a request for remark.
Learn: Elon Musk: Starlink ‘not allowed’ in South Africa ‘as a result of I’m not black’
David Mound, senior penetration tester at cybersecurity agency SecurityScorecard, mentioned most massive web sites have robust protections in opposition to such assaults, together with internet utility firewalls and different safety applied sciences that shield their origin servers from being immediately accessed through the web.
“If X’s origin servers have been uncovered or lacked enough filtering, that may be a basic safety oversight,” he mentioned. Defending origin servers is a well-established finest follow for any large-scale internet service, Mound mentioned.
Musk advised in a Fox Enterprise interview on Monday that his firm had traced IP addresses to the “Ukraine space”. Nonetheless, cybersecurity specialists have solid doubt on that declare.
Nearly all of the units used to flood X with visitors have been positioned within the US, Mexico, Spain, Italy and Brazil, in line with Nokia’s Meyer. These units have been possible underneath the management of an attacker who might have been positioned abroad, hiding behind a number of layers of obfuscation to hide their true identification, he mentioned.
Jason Kikta, a former official with US Cyber Command, mentioned hackers faking the placement of internet visitors in assaults that overwhelm servers is “trivial and routine”.
“The IP addresses a sufferer sees in a DDoS assault is about as significant as describing what sort of ski masks a financial institution robber was carrying,” mentioned Kikta, now chief data safety officer at IT automation agency Automox. “It’s a place to begin, however not terribly helpful.”
Meyer mentioned the assault was linked to a botnet – computer systems contaminated by malicious software program and underneath the management of a hacker – that included between 10 000 and 20 000 IP addresses. These have been related to safety cameras and community video recorders, which have been possible compromised by malicious software program, he mentioned.
Halving
Lots of the units used within the assault on X have been linked to a botnet often called “Eleven11bot”, which has beforehand carried out denial-of-service assaults in opposition to communications service suppliers and gaming internet hosting infrastructure, mentioned Meyer, who has been monitoring the botnet for a number of weeks.
Learn: Tesla gross sales plunge in Europe amid anti-Musk backlash
Following Musk’s acquisition of Twitter in 2022, which he later rebranded as X, greater than 100 individuals engaged on safety and privateness groups left the corporate, halving the variety of personnel who have been accountable for defending its infrastructure from cyberattacks and information breaches. — Ryan Gallagher, with Jordan Robertson and Jake Bleiberg, (c) 2025 Bloomberg LP
Get breaking information from TechCentral on WhatsApp. Enroll right here
