"I can confirm that Canonical's web infrastructure is under a sustained, cross-border Distributed Denial of Service (DDoS) attack," a Canonical spokesperson told The Register.
Canonical confirms a sustained, cross‑border DDoS
Canonical acknowledged a sustained, cross-border DDoS assault on its web infrastructure, telling The Register its teams were working to restore full availability and would "provide updates in our official channels as soon as we are able to." At the time of reporting, the company's main Ubuntu website was returning 503 errors and had been down for several hours.
The Islamic Cyber Resistance in Iraq (313 Team) claims responsibility and shifts tone
The attack was claimed by The Islamic Cyber Resistance in Iraq, also known as 313 Team. The group announced via its Telegram channel the attack had been scheduled to persist for four hours. More than a follow-up; the group sent a message directed at Canonical that reads in part: "There is a simple way out. We have emailed you with our Session Contact ID. If you fail to reach out, we will continue our assault. You are in an awful position, don't be foolish." That message, as reported, indicates the operation has moved from public hacktivism toward an explicit demand for contact by the victim.
Service disruption: downloads and account access affected, some pages still live
The outage prevented users from downloading Ubuntu releases through the usual channels and blocked logins to Canonical accounts. Despite the broader service disruption, some Canonical-hosted resources remained accessible: the Ubuntu Archive and the project's Discourse pages were reported as still up and running, even as the main site and many subdomains experienced interruption.
Persistence and recent targeting pattern
Although the channel announcement set an initial four‑hour window, the disruption persisted beyond that timeframe: the Register reported the attack was still ongoing more than 12 hours later. The 313 Team has claimed responsibility for similar DDoS operations in the past month, including strikes against eBay's Japan and US divisions and the social platform BlueSky, according to the same report.
What this means for Canonical, Ubuntu users, and security teams
- Canonical: the company has publicly confirmed the attack and signaled active mitigation efforts, promising regular updates through its official channels. The extortion-style message from the attacker introduces a communications and legal dimension to the outage that Canonical will need to manage in parallel with technical remediation.
- Ubuntu users and downstream consumers: users were unable to download versions of the distro through the affected web channels and could not access Canonical accounts during the disruption. Some resources remained available, but core download and account services were impaired.
- Security teams and incident responders: the incident demonstrates a DDoS campaign that can be timed and extended beyond an initial declared window, and — per the group's message — can be accompanied by direct contact with the victim. Teams monitoring similar targets should note both the operational disruption and the potential for attackers to couple denial-of-service operations with extortion tactics.
Why the group singled out Canonical was not stated in the claim; The Register suggested the likely motivator could be Ubuntu's prominence as a widely used Linux distribution. Canonical's immediate public posture was straightforward: confirm the attack, restore availability, and update users as information becomes available.
The episode leaves three concrete items to watch: whether Canonical's mitigation restores full service across all subdomains, whether the attacker follows through on the extortion posture, and whether other major open-source infrastructure providers see similar, coordinated DDoS pressure in the near term. Canonical has said it will provide updates through its official channels as it has new information to share.
Original story: https://go.theregister.com/feed/www.theregister.com/2026/05/01/canonical_confirms_ubuntu_infrastructure_under/
