Singularity.Kiwi

AI progress, with honesty.
A server room rack with red warning lights, dark atmosphere, cables, photojournalistic style
News 3 May 2026

Ubuntu's Infrastructure Has Been Down Over 24 Hours — And Now the Attackers Are Demanding Ransom

What started as a hacktivist DDoS on Ubuntu's infrastructure has become an extortion demand. Canonical's sites have been down over 24 hours, and the attackers want payment.

cybersecurityDDoSLinuxopen sourceinfrastructure

Canonical’s web infrastructure has been offline for more than 24 hours after a sustained DDoS attack — and the group responsible has pivoted from hacktivism to outright extortion, demanding Canonical pay up or face continued disruption.

The pro-Iran hacktivist group calling itself 313 Team (the Islamic Cyber Resistance in Iraq) claimed responsibility for the attack via Telegram. What began as a four-hour DDoS window has stretched past a full day, with ubuntu.com, the Snap Store, Launchpad, and Canonical’s security advisory pages all knocked offline.

Then it got worse. 313 Team posted a follow-up message directed at Canonical: “There is a simple way out. We have emailed you with our Session Contact ID. If you fail to reach out, we will continue our assault. You are in an awful position, don’t be foolish.”

That’s not hacktivism. That’s ransomware by another name.

What’s Affected

The attack has disrupted:

  • ubuntu.com — completely down
  • Snap Store — package management for millions of Ubuntu desktops and servers
  • Launchpad — Canonical’s development and code hosting platform
  • Canonical accounts — users can’t log in
  • Security advisories — the very pages that tell users about vulnerabilities

Ubuntu’s package archive mirrors and Discourse forums remain operational, but the main distribution channels for one of the world’s most popular Linux distributions are hobbled.

Why This Matters

This isn’t just about a website being down. Ubuntu runs on an estimated 40 million desktops and servers worldwide. It powers a significant chunk of cloud infrastructure. And right now, the official channels for getting Ubuntu — and for learning about security vulnerabilities affecting it — are dark.

The timing is particularly sharp: Ubuntu 26 just shipped. Users trying to download the latest release or update their systems through official channels are hitting a wall.

This also follows a botched disclosure of a major Linux vulnerability, making the security advisory outage especially concerning. When the people responsible for maintaining one of the world’s most critical pieces of open-source infrastructure can’t even publish their own security alerts, that’s a systemic problem.

The Geopolitical Angle

313 Team has form. The group has claimed responsibility for DDoS attacks on eBay’s Japan and US divisions, as well as Bluesky, in just the past month. They’re part of an escalating pattern of pro-Iranian cyber activity targeting Western tech infrastructure — a pattern we’ve been tracking.

The shift from ideological DDoS to extortion is notable. It mirrors the evolution of ransomware groups: start with disruption, discover that targets will pay to make it stop, and suddenly you’re in the protection racket business. When geopolitics and profit motives align, the attacks don’t stop — they escalate.

The Infrastructure Question

Canonical’s situation raises uncomfortable questions about open-source resilience:

  • DDoS mitigation isn’t cheap. CloudFlare, Akamai, and similar services cost real money. For a company that gives away its core product, that’s a meaningful expense.
  • Critical infrastructure shouldn’t be fragile. Ubuntu is infrastructure that millions of organisations depend on. A single sustained DDoS attack shouldn’t be able to take down the primary distribution and security channels.
  • Open-source projects are targets. The same visibility that makes Ubuntu popular makes it a target. And unlike proprietary vendors, open-source projects often lack the defensive budgets of their commercial counterparts.

The NZ Angle

New Zealand organisations running Ubuntu — and there are many, including significant government deployments — should be paying attention. If official Ubuntu mirrors and update channels are compromised or unreliable, that’s a supply chain risk. NZ’s National Cyber Security Centre has previously warned about supply chain attacks, and this is a textbook example of how infrastructure dependencies can become vulnerabilities.

Organisations should verify they’re pulling from trusted mirrors and have offline update capabilities for critical systems. If you can’t verify a package’s integrity because the security advisory page is down, that’s a problem.

🔍 THE BOTTOM LINE

An open-source infrastructure project that runs 40 million machines worldwide just got knocked offline for a day by a group that’s now demanding ransom. The attack isn’t sophisticated — it’s a DDoS, the digital equivalent of a crowd blocking your front door. But it’s effective because Canonical wasn’t prepared for it, and the attackers have realised that extortion pays better than ideology.

This is going to happen again — to Canonical, and to other open-source projects. The question isn’t whether critical infrastructure should be hardened against DDoS attacks. It’s whether we’ll wait until something worse than a 24-hour outage happens before we take it seriously.

Sources

Sources: The Register, Ars Technica, Tom's Hardware

Related Articles