Iran’s 313 Team DDoS Attack Knocks Ubuntu and Canonical Services Offline

Ubuntu’s public-facing infrastructure and the services run by Canonical were knocked offline after a distributed denial-of-service (DDoS) attack that began on Thursday and continued for more than a day, disrupting users’ ability to access websites and download OS updates.

“Servers operated by Ubuntu and its parent company Canonical were knocked offline on Thursday morning and have remained down ever since, a situation that’s preventing the OS provider from communicating normally following the botched disclosure of a major vulnerability”

Ars Technica

Ars Technica reported that “Attempts to connect to most Ubuntu and Canonical webpages and download OS updates from Ubuntu servers have consistently failed over the past 24 hours,” while “Updates from mirror sites, however, have continued to work normally.”

Ars Technica

TechCrunch similarly said the attack began on Thursday and “affected services that Ubuntu users rely on,” adding that “TechCrunch verified that updates failed to install on a test device running Ubuntu.”

Canonical’s status page described the situation as “Canonical’s web infrastructure is under a sustained, cross-border attack and we are working to address it.”

PCMag said the DDoS “appears to have shut down access to Canonical’s main site and the Ubuntu.com domain,” though it noted that “PCMag was able to load some related pages.”

Multiple outlets tied the disruption to the inability to reach security and management endpoints, with SC Media stating the attack “has rendered Ubuntu's security API and several official websites inaccessible, preventing users from performing essential system updates and installations.”

The DDoS was claimed by a hacktivist group identifying itself as “The Islamic Cyber Resistance in Iraq 313 Team,” also referred to as “313 Team” or “The Islamic Cyber Resistance in Iraq – 313 Team.”

SC Media said “Hacktivists identifying as The Islamic Cyber Resistance in Iraq 313 Team have claimed responsibility for the ongoing DDoS attack,” and it added that the group was “reportedly utilizing a DDoS-for-hire service named Beamed.”

Cybersecurity Insiders

TechCrunch likewise reported that “The hackers claimed to be using Beamed, a DDoS-for-hire service,” describing booter or stresser services as allowing “anyone to pay to launch DDoS attacks, even if they have no technical skills nor the necessary infrastructure.”

Ars Technica described the group as “a group sympathetic to the Iranian government,” saying it “has taken credit for the outage” and that it used “Beam” to test server load while acting as a front for paid services.

PCMag said the group “has “The attack on all Ubuntu servers remains ongoing,” the group wrote on the chat app Telegram,” and it also reported that the group floated an extortion demand.

The Register described the same group as “The Islamic Cyber Resistance in Iraq, aka 313 Team,” saying it claimed responsibility for “the 503 errors Ubuntu's website was returning on Thursday evening.”

Several outlets reported that the attack was paired with extortion messaging directed at Canonical, including demands delivered through messaging channels.

“Canonical, the company behind the Ubuntu Linux distribution, is currently experiencing widespread service disruptions across its core web infrastructure following a coordinated DistributedDenial-of-Service (DDoS) attack”

CyberSecurityNews

PCMag said the group “has “The attack on all Ubuntu servers remains ongoing,” the group wrote on the chat app Telegram, while issuing an extortion demand,” and it added that the group asked for a ceasefire.

The Register quoted a follow-up message sent to its Telegram group, writing: “There is a simple way out. We have emailed you with our Session Contact ID. If you fail to reach out, we will continue our assault. You are in an awful position, don't be foolish.”

eSecurity Planet said “A direct extortion message sent to the Ubuntu team by the hacktivist group ‘The Islamic Cyber Resistance in Iraq – 313 Tea,’ has been detected,” attributing the detection to “VECERT Analyzer in their X post.”

SQ Magazine reported that “VECERT” reported a “Session-channel extortion demand,” and that “The 313 Team… is an Iran-aligned hacktivist group with assessed ties to Iran’s Ministry of Intelligence and Security (MOIS).”

The Register also said the group “sent a follow-up message to its Telegram group, directed at Canonical,” and it described the shift as “veering away from hacktivism and toward full-on extortion.”

Outlets described a split between Canonical’s web infrastructure and other Ubuntu distribution components, with some services remaining reachable through mirrors and some repositories continuing to function.

Ars Technica said “Attempts to connect to most Ubuntu and Canonical webpages and download OS updates from Ubuntu servers have consistently failed over the past 24 hours,” but it also stated that “Updates from mirror sites, however, have continued to work normally.”

SQ Magazine

SQ Magazine reported that “Ubuntu APT repositories stayed operational because they are distributed across multiple locations, and OS ISO downloads remained available via mirrored repositories,” while also listing affected services including “the Ubuntu main website and associated domains (lists.ubuntu.com, security.ubuntu.com, login.ubuntu.com), the Snap store and Snapcraft website, Launchpad and maas.io, Canonical’s portal and contracts subdomains, and Livepatch API and Landscape services.”

The Register said the disruption meant “users cannot download any versions of its distros through the usual channels, nor can they log into their Canonical accounts,” and it noted that “some, including its Archive and Discourse pages, remain up and running.”

CyberSecurityNews said “Canonical’s official status page” reported “more than a dozen services and domains have been reported as Down,” and it highlighted “The disruption of Ubuntu Security API – CVEs and Ubuntu Security API – Notices.”

SC Media said the attack “has affected various Ubuntu and Canonical websites, as well as the ability for users to update and install the operating system,” and it added that “The attack has rendered Ubuntu's security API and several official websites inaccessible.”

The reported scale of the DDoS and the timing of the disruption were central to how outlets characterized the incident’s operational impact.

“PCMag editors select and review products independently”

PCMag

SC Media said the hacktivists were “reportedly utilizing a DDoS-for-hire service named Beamed” and that the service “allegedly offers attack capabilities exceeding 3.5 terabits per second.”

TechCrunch

TechCrunch similarly stated that “The DDoS-for-hire service in this case claims to power attacks in excess of 3.5 Tbps,” and it described the booter ecosystem as enabling attacks without technical skills.

The Register said the attack was scheduled to persist for “four hours” and that “More than 12 hours later, the attack continues to disrupt Ubuntu's main website and many of its subdomains,” while The Stack reported that Canonical’s pages were unavailable “for over 14 hours.”

eSecurity Planet said the disruption affected “Key resources, including the Ubuntu Security API for CVEs and security notices — commonly used for automated patching — were temporarily unavailable,” and it warned that organizations relying on Ubuntu’s security feeds faced “delayed patch deployment” and “interruptions to automated remediation processes.”

Across the coverage, Canonical’s response remained limited to its status-page language, with Ars Technica noting that “Other than that, Ubuntu and Canonical officials have maintained radio silence since the outage began.”