X, or the social media platform formerly known as Twitter, suffered some noticeable level of disruption on March 10 due to DDoS attacks. A pro-Palestine hacktivism group calling itself Dark Storm Team has taken credit, a known quantity that has previously wielded large botnets for similar purposes.
The group posted evidence of its involvement in the form of screenshots on a Telegram channel. It has previously used DDoS attacks to target an assortment of organizations with a strong focus on the US, UAE, Israel and Ukraine.
DDoS attacks caused limited disruption to X
While the DDoS attacks were not enough to take the platform offline, users began noticing slow loading speeds and occasional inability to log in or complete actions throughout the morning and afternoon on Monday the 10th. The cause was unclear until Elon Musk appeared in a previously scheduled interview on the Fox Business network later in the day, in which he revealed that it was an active and “massive” attack by what he said was either a large organized group or a nation-state attacker.
It appears to have been the former. Many media outlets took Musk’s mention of “IP addresses originating in Ukraine” as an indirect accusation against the country, but the Dark Storm Team hackers were quick to take to Telegram that evening and post screenshots and a report on Check-Host.net that provided evidence of their involvement in the DDoS attacks. The group has been tied to assorted incidents dating back to 2023, including similar attacks on hospitals in Israel and airports in the US. The hackers appear to be focused on damaging Israel and its allies as well as NATO members, engaging only in destructive campaigns for publicity and not stealing money or demanding ransoms.
Netblocks, a connectivity monitoring service, said that the pattern of traffic and outage was consistent with prior DDoS attacks and that this was one of the longest outages in the history of the Twitter/X platform. The company says that several other similarly large outages were observed around the world on Monday, but it is unclear if they are linked to the hacktivist’s attack. Downdetector.com indicates that X had trouble with the DDoS attacks off-and-on for about seven hours, with the first wave starting in the early morning hours.
X has reportedly engaged the services of Cloudflare since the DDoS attacks took place, now requiring flagged IP addresses or those that have submitted too many requests to successfully complete a captcha to proceed.
Ukraine tensions do not appear to be part of DDoS attacks
Musk’s mention of Ukraine IP addresses may have set off adversarial media sources ready and waiting for any opportunity to publish a negative story about him, but the controversial Tesla head has been involved in prior wars of words involving the country as part of his new role as a major functionary of the Trump administration. A recent X post in which he claimed that Ukraine’s front line would collapse if he pulled Starlink support was met with hostility by Polish foreign minister Radoslaw Sikorski, who fired back that Poland was paying for the service and that it might consider shopping for another satellite provider. Musk quickly clarified that he had no intention of cutting off service to Ukraine, but also called Sikorski a “small man” and admonished him for paying for only a “tiny fraction” of the service.
Twitter has had a long history of security issues, some of which have come under Musk’s ownership. A prior incident involving DDoS attacks took the site offline for several hours in about a dozen countries in 2023; that also involved a self-styled hacktivist group from the Middle East, calling itself Anonymous Sudan. The leaders of that group, which postured as an anti-Zionist and pro-Muslim organization, were arrested in March 2024 and the FBI seized their infrastructure. There were some suspicions that the group had links to Russia, such as starting out its life on a Russian-speaking Telegram channel, but conclusive proof of links to Russian intelligence have not emerged.
It is extremely difficult to trace the origin of botnet devices without similarly seizing the infrastructure and dissecting it after the fact. As security researchers correctly point out, the fact that a good deal of traffic came from devices in Ukraine does not point to the country’s involvement in the DDoS attacks. On the contrary, it might point to Russian involvement given that country’s heavy focus on cyberattacks on Ukraine in recent years. Chad Cragle, CISO at Deepwatch, thinks that some sort of nation-state may well be involved given the sheer amount of resources being thrown at X: “X is under relentless cyberattacks; 24/7/365 this far beyond simple DoS attempts. These are full-scale DDoS assaults, combined with sophisticated botnet activity, credential stuffing, API abuse, and targeted application-layer attacks designed to cripple operations. While technical issues can occur, X’s engineers understand scalability and redundancy. This isn’t incompetence; it’s cyberwar hitting at full force. With Musk in the spotlight and political tensions at a peak, these attacks bear all the indicators of nation-state aggression. They’re throwing everything but the kitchen sink at X, and others pushing for maximum disruption, downtime, and, if possible, data exposure.”
J Stephen Kowski, Field CTO at SlashNext, also cautions about being too quick to take the word of anonymous posts on the internet even with accompanying evidence: “Determining the true cause of outages requires independent verification, as it’s challenging to confirm cyber-attacks without direct access to the targeted infrastructure. Major platforms typically face numerous attacks attempts daily, making such claims plausible, though a group called ‘Dark Storm Team’ claiming responsibility on Telegram would need to be verified through advanced threat detection technology rather than public statements alone. The evidence from X and from the attackers claiming credit appears very limited. For every company, there is a tradeoff between cybersecurity defense costs and revenue-generating activities, with most companies being a bit understaffed and under-resourced in their security operations.”
Randolph Barr, CISO at Cequence, expands on forensics that can be used to assist (and measures other organizations can take to protect themselves): “In cases like this, it’s difficult to pinpoint the exact type of attack used. It could be volumetric, application-layer, protocol-based, or a multi-vector attack. I’m curious about which approach the bad actors took if this is indeed a DDoS attack. Many organizations, including X, have solid protections in place to defend against standard attacks. However, there are emerging threats that pose a challenge to remediation, such as encrypted DDoS attacks, where traffic is encrypted and disguised, making detection difficult. This type of attack can be especially time-consuming to address. The motivation behind these attacks may lean toward Hacktivism or Nation-State actors. Hacktivists might target X for political reasons, or it could be part of a broader effort to disrupt media platforms. Retaliation and revenge are also potential driving factors. Fortunately, there are several protections companies can implement, many of which they should already have in place. For instance, cloud-based solutions from providers like AWS and Google Cloud offer tools to help mitigate these attacks. Additionally, AI/ML-powered solutions can detect abnormal traffic patterns and differentiate between bots and real users. Rate limiting is another mitigation method, but it has its limits when dealing with large traffic volumes. The key takeaway here is the increasing sophistication of these attacks. As automation, botnets, and AI-driven techniques evolve, these attacks are becoming harder to mitigate. Bad actors are refining their strategies, targeting not only network infrastructures but also application layers and, most critically, APIs.”
