Canonical, the company behind Ubuntu, has been under a sustained cross-border DDoS attack since approximately 6 PM UK time on April 30, 2026. The Iran-linked hacktivist group "Islamic Cyber Resistance in Iraq 313 Team" claimed responsibility via the VECERT Analyzer threat intelligence account and paired the disruption with a Session-channel extortion demand. The outage exceeded 15 hours by the time it surfaced on Hacker News, knocking out a wide swath of Ubuntu and Snap infrastructure while the underlying operating system remained uncompromised.
What Happened
The attack began around 6 PM UK time on April 30, 2026, hitting multiple Canonical-operated services in parallel. Canonical confirmed the disruption on its status page and via the @ubuntu account on May 1, calling it a "sustained, cross-border attack" and indicating volumetric flooding rather than intrusion. PiunikaWeb reported the outage had run more than 14 hours by its May 1 article, and Hacker News tracked the incident at the 15-hour mark. Affected services included ubuntu.com, security.ubuntu.com, lists.ubuntu.com, login.ubuntu.com, the Snap Store, Snapcraft, Launchpad, maas.io, Canonical's portal and contracts subdomains, the Livepatch API, and Landscape. Ubuntu APT mirrors and ISO downloads continued to function thanks to their distributed mirror network. The 313 Team also delivered an extortion message via a Session messenger ID, warning that servers would remain offline if Canonical did not pay. As of the first major coverage on May 1, Canonical had not publicly acknowledged the ransom demand.
What Was Taken
No data exfiltration has been reported or claimed. The incident is a service-availability attack, not a breach. The Ubuntu operating system, source repositories, and APT package distribution channels were not compromised, and there is no indication that authentication credentials, build pipelines, or Snap package contents were accessed. The damage is reputational and operational: developers, enterprise Livepatch and Landscape customers, MAAS operators, and Snap publishers were locked out of management and identity surfaces for the duration of the outage.
Why It Matters
Canonical sits at the foundation of a substantial portion of the world's Linux server, cloud, and IoT footprint. A sustained outage of login.ubuntu.com, Launchpad, Livepatch, and Landscape disrupts not just consumer downloads but enterprise patch management and fleet automation pipelines that depend on those control planes. The incident is also notable for the actor: the 313 Team is assessed by HawkEye's March 2026 advisory to have ties to Iran's Ministry of Intelligence and Security (MOIS), pushing this beyond ordinary hacktivism into the state-aligned category. The pairing of volumetric DDoS with a Session-based extortion demand mirrors the playbook seen from other Iran-aligned crews in 2025 and 2026, and signals that open-source infrastructure providers are now being treated as legitimate targets for politically motivated coercion.
The Attack Technique
The technique appears to be a classic high-volume, multi-vector DDoS aimed at saturating the public-facing web and API tier of Canonical's infrastructure. Canonical's "cross-border" framing suggests the source traffic originated from globally distributed nodes, consistent with botnet-driven floods or amplification across reflectors. The selective survival of APT mirrors and ISO downloads, both served from distributed third-party mirror networks, while centralized Canonical-hosted services failed, points to the attackers focusing on origin infrastructure that lacks the same geographic dispersion. The extortion overlay was delivered out-of-band via Session, a privacy-focused encrypted messenger favored by actors who want to avoid the attribution risk of email or Telegram.
What Organizations Should Do
- Audit which centralized identity and management endpoints (login.ubuntu.com, Livepatch API, Landscape, Launchpad) your automation depends on and stage offline-tolerant fallbacks for patching and provisioning workflows.
- Mirror critical packages and ISOs locally or pin to redundant mirror endpoints so build pipelines do not break when the upstream control plane is unreachable.
- Review DDoS protection posture for your own internet-facing infrastructure: confirm anycast or scrubbing coverage, validate origin IP concealment, and rehearse failover for authentication and API tiers specifically.
- Establish a no-pay policy and pre-approved comms plan for Session, Telegram, or email-delivered extortion demands tied to availability attacks, and route any such contact directly to incident response and legal.
- Track 313 Team and other MOIS-aligned hacktivist indicators via threat-intel feeds, and treat geopolitical flashpoints as leading indicators for opportunistic targeting of Western technology vendors.
- Monitor Canonical's official status page and @ubuntu channel rather than secondary aggregators for ground truth during ongoing disruption.