Since 1 PM EST on April 30, 2026, Ubuntu's infrastructure started falling over. Users trying to reach ubuntu.com were getting 503 errors. By the time the picture came into focus, it wasn't an outage in the ordinary sense, but it was a deliberate, large-scale attack, and the group behind it wasn't done talking. Till now, even after 12+ hours, its down. Country archive mirrors and archive.ubuntu.com seems to be working as of now along with documentation.ubuntu.com. The default repo URLs are not working.
The attackers identified themselves as the Islamic Cyber Resistance in Iraq – 313 Team. They claimed responsibility for the assault and then, in a move that escalated things considerably, sent a direct message to Canonical: open a negotiation channel or the attack continues. They provided a Session contact ID and made clear they wanted a response. What they were after beyond that hasn't been publicly specified, but the implication was plain enough, this was extortion.
That's the part that security researchers found notable, not just the volume of traffic being thrown at Canonical's servers, but the shift from disruption to demand. A DDoS that hits a website homepage is annoying and embarrassing. A DDoS that specifically targets your security update infrastructure, and then comes with conditions attached, is a different kind of problem.
What's Actually Offline
The main ubuntu.com domain is affected, which is the visible, obvious part. But the more serious damage is to the security API and the CVE repositories, the systems that Ubuntu-based machines use to check what vulnerabilities need to be patched and to pull those patches down.
For most individual users running Ubuntu on a personal machine, this is mildly concerning but manageable. You sit on your current patch level, you wait, you avoid pulling in new software from dubious sources in the meantime. Not ideal, but survivable.
For enterprises running large fleets of Ubuntu servers (and there are a lot of them), the picture is more complicated. Automated patch management pipelines are broken. Scripts that should be checking for CVE updates are returning errors or nothing at all. Security teams that operate on the assumption that their systems are continuously pulling current vulnerability data are now operating on stale information, and they may not immediately know how stale.
The concern raised by threat intelligence analysts is that other actors – ones with no connection to the 313 Team might look at this window and try to exploit it. Known vulnerabilities that would normally get patched within hours of disclosure are sitting unpatched on machines that simply cannot reach the relevant repositories. It's a gap, and gaps don't stay unnoticed for long.
Who Is the 313 Team
The 313 Team has shown up in hacktivist contexts before, usually associated with pro-resistance political positions and targeted disruptions rather than financially motivated attacks. But what's described here, with the Beamed Network providing backend infrastructure, isn't the profile of a small group running off commodity tools. The scale and the apparent technical organization behind it suggest either that the group has grown its capabilities considerably, that it has backing it didn't previously have, or both.
That said, there's still a lot that isn't known. The exact volume of traffic, how Canonical's mitigation efforts are going, whether any communication has actually taken place between Canonical and the attackers, none of that has been confirmed. Canonical has not issued a detailed public statement. An Estimated Time of Recovery hasn't been given. The status page is the most current source most users have, and it's been grim reading.
The Extortion Angle
This is the piece worth sitting with. DDoS attacks against major infrastructure targets aren't new. What's less common is the explicit demand attached – the attackers effectively saying: find us, talk to us, or this keeps going. That's a negotiating posture, not just a protest.
Whether Canonical engages with that posture, and what either outcome looks like, is genuinely unclear. Negotiating with groups like this sets a precedent security professionals universally hate. Not negotiating means the attack continues, with real consequences for the millions of users who depend on Ubuntu's update infrastructure. There's no clean path here.
Security researchers tracking this have noted that the specific targeting of patch mechanisms rather than just public-facing websites shows a degree of strategic thinking. You go after the homepage, you get headlines for a day. You go after the security update pipeline, you create compounding problems – every hour that passes is another hour that newly disclosed vulnerabilities can't be addressed by automated systems. The damage stretches forward in time even after the attack ends, because systems that should have been patched during the outage window remain unpatched until someone manually intervenes.
What Ubuntu Users Should Do Right Now
There's no emergency for most people. Your system hasn't been breached. No user data appears to have been exposed. Current reporting suggests this is purely an availability attack, not a breach of Canonical's systems or user accounts.
What you can't do right now is receive new security updates via normal automated means. That's the practical problem to manage. Keep your system on its current patch level. Don't go installing software from unverified sources. If you're on a public or unsecured network, be more cautious than usual. If you're running a production environment, check whether your patch management tooling is logging errors and make sure your security team knows the repositories are currently unreachable.
Once the infrastructure comes back, there's likely to be a backlog of patches that need applying. Prioritize that. Don't assume your system is current just because you ran your usual update process – if those runs happened during the outage window, they may have silently failed.
Canonical's status page is the best source for current information. Secondary channels likd Reddit, Ubuntu Forums, security mailing lists are worth watching for unofficial updates if official communications are slow.
The Bigger Picture
There's been a gradual evolution in how hacktivist groups choose their targets and what they do to them. Website defacement was the thing for a long time – make a point, embarrass the target, move on. DDoS as pure disruption came later. What this attack represents, if you take it at face value, is something more calculated: identify the infrastructure that a target's users genuinely depend on, disable that specifically, and use the dependency as leverage.
Open-source infrastructure has always occupied an interesting threat model position. It's globally critical as billions of devices run on it but it's maintained by relatively small teams with limited incident response resources compared to, say, a major cloud provider. Canonical isn't a small company, but it's not AWS either. Absorbing a sustained, high-volume DDoS while simultaneously managing extortion demands and communications is a lot to handle.
This won't be the last time something like this happens. Whether it's hacktivists, financially motivated groups, or state-adjacent actors, the model of targeting update infrastructure rather than user-facing services is something more groups will probably try once they see it can create this much disruption. The open source ecosystem has taken that for granted for too long.
For now, watch the status page. Wait for Canonical to get things back up. And when the patches come, run them.
[Editor's Note: I experienced problems doing an update on 4 May. The system seemed to be reverting to IPv6 addresses but they were very slow in responding. I do not know if there is any connection to this story--JR]
(Score: 2) by mrpg on Tuesday May 05, @04:50AM
https://status.canonical.com/ [canonical.com]
Component "archive.ubuntu.com" and a few other components are Down
(Score: 4, Interesting) by PiMuNu on Tuesday May 05, @08:04AM (7 children)
I saw this on theregister and wondered. Lots of things don't make sense:
* Canonical is a UK firm. UK is not involved much in Iran.
* Canonical has no involvement in Iran stuff? Or what is the link?
* Why attack security?
It looks to me like there must be another target or another part of the operation that is not yet visible.
(Score: 5, Funny) by driverless on Tuesday May 05, @08:13AM
KARL VRESKI: (sotto) 'Islamic Cyber Resistance in Iraq?'
HANS GRUBER: (off-mike, a shrug) I read about them in Time magazine.
(Score: 2, Insightful) by Anonymous Coward on Tuesday May 05, @12:45PM
Iraq, not Iran.
The point is, there are people, if you can call them people, who have been mentally conditioned into thinking the world is full of evil, so that anything and everything _must_ be disrupted.
Hopefully, to most people reading this, that statement is extremely obvious.
The infuriating irony is that those people are doing great harm and evil themselves, and their actions are not in any way improving the things they want changed. If anything they are taking resources away from people who are trying to do good.
(Score: 2, Interesting) by Anonymous Coward on Tuesday May 05, @02:32PM
Really, the target is hidden amongst the victims to throw the cops off the trail.
Actually the UK's interests in the Middle East run much deeper than anybody else's. The Americans are just the muscle.
And yeah, these "hackers" are just poseurs, attacking the easy targets, and besides, putting Canonical on any critical infrastructure is as dumb as using Microsoft.
Or it could be the CIA testing new stuff. Anything is possible, kids in the basement, whatever...
(Score: 1, Flamebait) by stormreaver on Wednesday May 06, @11:31AM (3 children)
Mystery solved. As we already found out, Islam doesn't discriminate between friend and foe. They attack anyone and everyone.
(Score: 2) by PiMuNu on Wednesday May 06, @01:19PM (2 children)
> Islam doesn't discriminate between friend and foe
Much like Christians.
https://en.wikipedia.org/wiki/Reformation [wikipedia.org]
https://en.wikipedia.org/wiki/Counter-Reformation [wikipedia.org]
or more recently
https://en.wikipedia.org/wiki/Glorious_Revolution [wikipedia.org]
(Score: 2) by stormreaver on Thursday May 07, @09:36PM (1 child)
Your examples aren't even REMOTELY similar to Islam. As bad as Christians were, they don't even hold a candle to Islamists. Plus, Christians are far more evolved than Islamists. Let's look at Iran for an example. The U.S. attacked Iran, and the Islamist response it to attack ANYONE within missile range, even their friendly neighbors who were trying to protect them.
When Christians were killing doctors who performed abortions, they didn't also start killing random people in random neighborhoods. Their insanity was at least contained. Islam has no such containment.
(Score: 2) by PiMuNu on Friday May 08, @07:28AM
> response it to attack ANYONE
You have clearly a limited understanding of Iran's strategy. At the moment Iran is winning and has forced US into humiliating negotiations. How did they achieve that? Why is the Trump administration forced into ceasefire? Remember, Trump is the aggressor here; so a ceasefire means Iran has won.
ps: you should do something about the sticky capslock key. There are some nice solutions online for cleaning keyboards, or a new one is not so expensive.
(Score: 3, Insightful) by Anonymous Coward on Tuesday May 05, @08:09AM (16 children)
"Activists" are all the same, they attack targets they think they can get away with. It's why animal rights activists beat up little old ladies wearing fur and not biker gangs wearing leather, because the second one is dangerous and the first one isn't. It's about hurting people first and making a point second.
(Score: 4, Touché) by PiMuNu on Tuesday May 05, @08:41AM (3 children)
> they attack targets they think they can get away with
Then why attack an IT organisation? Must be easier for canonical to mobilise IT security pros.
They are a pretty low profile organisation in the UK (for most Brits who are not IT professionals, they are a niche IT organisation running an obscure OS).
(Score: 4, Funny) by Gaaark on Tuesday May 05, @10:29AM
All i know and care about is that Moss uses Ubuntu and bunks off once in a while.
(Goes and puts on slightly LARGER glasses)
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 1) by khallow on Tuesday May 05, @11:41AM
You just answered your own question.
(Score: 0) by Anonymous Coward on Tuesday May 05, @12:18PM
The attack could be an indirect one on the customers who use Ubuntu, it creates a bit of fear and uncertainty in their minds about the security of their Ubuntu boxes irrespective of any assurances, especially if the impression is given that Ubuntu can't protect their own systems.
For context as to why these Islamonutters might have targetted them, look at the names of some of the largest commercial Ubuntu users, giving them all a bad week or three alone would justify it in their eyes.
(Score: 2) by FunkyLich on Tuesday May 05, @08:49AM (9 children)
My knowledge might be outdated, but last I checked leather jackets are produced from pelts of cattle in the food industry. They are usually farmed in a very efficient manner, then slaughtered and turned to various products, mostly food from their flesh, then shoes from their pelts, and also - at a lower priority - leather jackets from their pelts. Technically speaking, you're correct, but on the other hand you're missing options in the list. To "fur coat old ladies" and "nasty bikers with leather coats" already there, you should add "almost everyone, the users of meat products" too.
(Score: 3, Funny) by c0lo on Tuesday May 05, @08:59AM (8 children)
"Users of meat products" is quite a weird way to designate meat eaters.
Or... do you have in mind different ways of using meat than as food?
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Interesting) by FunkyLich on Tuesday May 05, @09:19AM (3 children)
I don't think it matters much as long as the use case is clear. But yes, there are also indirect uses of animal flesh which is not directly food. Some types of immunoglobulins, beef insulin, collagen that's used as injections to fill in scars, dismutase cream used as a cosmetic skin cream to prevent tissue aging, estrogen and progesterone drugs, liver extracts for treating anemia, plasma protein, some types of adhesives (plywood adhesive being one), crayons...
(Score: 2, Interesting) by pTamok on Tuesday May 05, @10:46AM (2 children)
Pretty much everything of a farm-produced carcass is used, not just the muscle, much of which goes into 'quality' food production. Not doing so means that possible profit (or mitigation of loss) is going to waste. Disposing of carcasses that don't go into the food-and-other-products chain is expensive, usually requiring incineration.
People who are against the exploitation of animals have to find substitutes for a surprising amount of things. I don't know if it is still true, but most cheese was made with rennet, extracted from dead calves' stomachs. I suspect that a lot is made with genetically engineered yeast/bacteria-produced rennet now. It is likely cheaper.
Of course, you have leather, for shoes, belts and apparel. If you take or need vitamin B12 supplements, almost all come from animal sources. Much work goes on to find an adequate plant- or genetically-engineered yeast or bacterium source.
If you look at human dentition and the human digestive system, you will see that we are most suited to being omnivores.
PLOS One: The Evolution of Stomach Acidity and Its Relevance to the Human Microbiome (2015 Jul 29;10(7):e0134116. doi: 10.1371/journal.pone.0134116) [nih.gov]
From an ethical viewpoint, you might want to decide not to eat animals. From a practical viewpoint, evolution and human evolutionary history appears to have set us up to be able to eat animals, and quite possibly, carrion.
(Score: 3, Interesting) by FunkyLich on Tuesday May 05, @11:05AM
Yes, I know and all of that is obvious to me as well, and I agree with all the above. But I am not so sure of the GP anonymous coward who seems confused between old ladies in fur coats and tough bikers in leather jackets. Personally I have a stronger feeling against the old ladies in fur coats compared to the bikers in leather coats, but not because the old ladies are easier to spit on their face compared to the bikers. It's more about the fur coats being the primary product for which one needs to kill an animal for an absurdly expensive product driven by purely show off reasons, while the leather jackets are a byproduct of a much bigger picture and in the exact same family of products with shoes, belts, couch covers, and so on.
(Score: 2) by c0lo on Tuesday May 05, @10:11PM
Used to be vegetable origin rennet in the past too (mainly plants that produce latexes).
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 1, Touché) by Anonymous Coward on Tuesday May 05, @12:59PM
I purchase a lot of meat for the family and pets and prepare their meals, I am, by those facts alone, a user of meat products, then there are my leather boots, belts etc. etc.
I'm a vegetarian, have been so now for well over 40 years.
(Score: 1, Insightful) by Anonymous Coward on Tuesday May 05, @09:06PM (2 children)
Don't forget lubricating bullets with pork fat. Muslims hate that.
(Score: 4, Informative) by lentilla on Wednesday May 06, @02:20AM
I suspect you were aiming for a +1 Funny, but there is historical precedent here as one of the contributing factors to the Indian Rebellion of 1857: [wikipedia.org]
(Score: 0) by Anonymous Coward on Friday May 08, @09:55AM
Salami has other uses too.
(Score: 5, Funny) by Ingar on Tuesday May 05, @08:53AM
Someone got fed up with the enshittification of Ubuntu.
Love is a three-edged sword: heart, soul, and reality.
(Score: 2) by epitaxial on Tuesday May 05, @03:44PM
Now talk about January 6th.
(Score: 5, Interesting) by pTamok on Tuesday May 05, @11:07AM (7 children)
Is here:
https://status.canonical.com/ [canonical.com]
It is not just a static page, which surprised me. You will need to enable:
(one of the many things I like about SoylentNews is that it doesn't link to resources from all over the Internet just to render a page.)
(Score: 5, Insightful) by Unixnut on Tuesday May 05, @12:58PM (6 children)
Ah, thanks for that. I visited that page as was mentioned earlier in the thread and it was blank for me. I just assumed that the attackers managed to take out the status page as well. Having a status page for critical events that loads blank instead of degrading gracefully is poor programming from Canonical's side really.
(Score: 5, Interesting) by canopic jug on Tuesday May 05, @01:33PM (5 children)
Having a status page for critical events that loads blank instead of degrading gracefully is poor programming from Canonical's side really.
It's just another symptom of Canonical's hiring of problem individuals, especially for the top position. The company is chock full of "former" microsofters bringing their "talent" and values into what was once a FOSS company.
Money is not free speech. Elections should not be auctions.
(Score: 2) by turgid on Tuesday May 05, @08:18PM
That reminds me, I've noticed something when installing Ubuntu (and Mint Cinnamon, which is based on Ubuntu). When you install it, it spends a long time installing lots of packages. Then, if you watch carefully, it tells you that it is uninstalling several of them.
Why?
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2) by turgid on Tuesday May 05, @08:27PM (3 children)
The company is chock full of "former" microsofters bringing their "talent" and values into what was once a FOSS company.
Doesn't everybody deserve a second chance?
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 4, Insightful) by canopic jug on Wednesday May 06, @01:26AM
Doesn't everybody deserve a second chance?
Three prerequisites would have to be met first: them voluntarily stopping the harmful behaviors, them taking initiative on their own and working to rehabilitate themselves, and first and foremost them leaving the cult (by either voluntary or involuntary deprogramming) in the first place.
Then, hopping over possible definitions of forgiveness, the answer is, yes, but only once they move to another field of work. They've already proven that they are unsuitable for ICT. With white collar crime there is a nearly 100% recidivism rate when either punishment or rehabilitation are absent. In this case, both are absent. You would not put an embezzler to work in anything related to do with money, nor put a junkie in charge of controlled substances. This is no different except computers and computer environments are involved. There are other fields which those "former" microsofters could work in where they have a higher chance of contributing to society. But that chance is only when assuming that they have well and truly really turned over a new leaf and, furthermore, not just regret their past participation in microsoftianism but actively take measures — outside of ICT — to make amends. Given the cult-like nature of that crowd additional barriers prevent getting to that position in the first place.
As for the rest of us, there is neither a moral nor religious obligation to forgive companies, especially while such a group is actively engaged in ongoing, intentional harm. Indeed, the sole purpose of a corporation is to dodge ethical and social responsibilities. The money is just a rewarding side effect of that.
Money is not free speech. Elections should not be auctions.
(Score: 2, Touché) by Anonymous Coward on Wednesday May 06, @10:55AM (1 child)
(Score: 2) by turgid on Sunday May 10, @10:20AM
I was trying to be funny.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].