On Monday, March 10, 2025, the social network X experienced a series of major outages. For several hours, the platform was inaccessible. Elon Musk quickly denounced a "massive cyberattack against 𝕏" that called upon considerable resources. The billionaire then pointed the finger at "IP addresses located in Ukraine," believing that "a large coordinated group" or "a country" was involved in the DDoS attack.
A botnet at the origin of the cyberattack
As the dust settles, several security researchers have come to qualify Elon Musk's assertions. Interviewed by Wired, Shawn Edwards, director of security at Zayo, points out that DDoS attacks, like the one that paralyzed X for hours, are generally issued by a botnet, a network of devices infected with malware and controlled remotely by a cybercriminal. This network uses "compromised devices, VPNs, or proxy networks to obscure their true origin.".
In fact, it is not really possible to determine that the attacks were issued by Ukraine. As Shawn Edwards points out, "what we can conclude from IP data is the geographic distribution of traffic sources, which can provide insight into the composition of the botnet or the infrastructure used," but "what we cannot conclude with certainty is the identity or the real intention of the perpetrator.". Furthermore, an anonymous researcher assures Wired that Ukraine was not among the top 20 sources of IP addresses involved in the X attacks.
In the case of the offensive against X, it is a botnet "of cameras and DVRs" that is behind the attacks, says researcher Kevin Beaumont. To propagate the attacks, the botnet primarily compromised devices such as digital cameras and digital video recorders, recorders designed to record video footage.
Poorly secured servers
Furthermore, researcher Kevin Beaumont claims that some of X's servers were not properly secured. In fact, Cloudflare DDoS protection had not been enabled by the social network. As its name suggests, this measure is designed to detect and mitigate denial of service attacks.
Furthermore, the servers were publicly visible. The hackers behind the cyberattack were therefore able to directly target the servers. The expert adds that "the botnet directly attacked the IP and many others on this X subnet." Since the cyberattack, X has taken the necessary steps to secure all of its servers.
Source: Wired
0 Comments