A major cyberattack on Elon Musk’s social media platform X (formerly known as Twitter) brought the site down for users across the globe, sparking concerns over security flaws within the platform. Cybersecurity analysts have traced the attack to vulnerable servers inadequately protected against malicious traffic, underscoring the risks faced by the platform despite its global prominence.
The disruption, which caused intermittent outages for users on Monday, was attributed to a large-scale cyberattack that Musk labeled as a “massive, coordinated” assault. He suggested that it was carried out by a “large group” or potentially a country, though he provided no concrete evidence to support his claim. The attack was quickly identified as a distributed denial-of-service (DDoS) attack, a method that overwhelms a website with a flood of traffic, rendering it inaccessible to users.
Details of the Attack: Vulnerabilities Exploited
Jérôme Meyer, a security researcher at Nokia Deepfield, confirmed that the attack on X was a DDoS assault. Meyer’s analysis of the attack was made possible by data collected through Nokia’s Deepfield technology, which is deployed in telecommunications companies and provides DDoS protection services. The attack targeted X’s “origin servers,” which are responsible for processing and responding to incoming internet requests.
These servers, however, were inadequately protected, leaving them vulnerable to the DDoS onslaught. According to Meyer, X failed to properly shield these servers with technologies that would have blocked such attacks. “They should not be exposed on the internet,” Meyer said, adding that one of the servers involved in the attack remained vulnerable even on Tuesday morning.
The severity of the attack highlights a major oversight in X’s cybersecurity infrastructure, as such origin servers should ideally be protected by specialized DDoS prevention services. However, Meyer suggested that X’s servers were inadequately defended, making them easy targets for the cybercriminals behind the attack.
Responsibility and Attribution: Uncertainty Surrounds Claims
A pro-Palestinian “hacktivist” group known as Dark Storm Team claimed responsibility for the attack. However, they did not provide evidence to substantiate their claim, leaving room for speculation. Musk’s own comments about the origin of the attack also generated confusion. He suggested in an interview that the IP addresses linked to the attack traced back to the “Ukraine area.” However, cybersecurity experts have questioned this assertion, pointing out that identifying the geographic location of IP addresses in a DDoS attack can be misleading.
Nokia’s Meyer stated that the majority of devices used to flood X with traffic were actually located in the United States, Mexico, Spain, Italy, and Brazil. These devices were likely part of a botnet—a network of infected computers controlled by hackers. Meyer further explained that the attackers could be hiding their true location by using obfuscation techniques to conceal their identity.
Former US Cyber Command official Jason Kikta also criticized Musk’s assertion, noting that identifying the location of traffic in a DDoS attack is “trivial and routine” for hackers. “The IP addresses a victim sees in a DDoS attack is about as meaningful as describing what kind of ski mask a bank robber was wearing,” Kikta remarked. He added that IP addresses provide only a starting point for an investigation, but they are not reliable indicators of the attackers’ true location.
Botnets and Exploited Devices: The Scale of the Attack
The DDoS attack on X was linked to a botnet known as “Eleven11bot.” A botnet is a collection of infected devices, often computers or security cameras, that are controlled remotely by an attacker. According to Meyer, the Eleven11bot botnet used between 10,000 and 20,000 IP addresses during the attack. Many of the devices in this botnet were security cameras and network video recorders that had been compromised with malicious software.
Meyer’s research showed that Eleven11bot has a history of carrying out denial-of-service attacks, particularly against communications service providers and gaming hosting infrastructure. The scale of the botnet, combined with its diverse range of infected devices, made the attack on X particularly potent.
Security Oversights at X: Impact of Staff Reductions
The attack on X comes at a time when the company has faced significant staff reductions since Elon Musk’s acquisition of Twitter in 2022. According to sources, more than 100 individuals working in X’s security and privacy teams left the company after Musk took over. This mass exodus halved the size of the team responsible for safeguarding the platform’s infrastructure against cyberattacks and data breaches.
Cybersecurity experts have raised concerns that the reduced staffing levels at X may have contributed to the vulnerabilities that were exploited during the recent cyberattack. David Mound, a senior penetration tester at cybersecurity firm SecurityScorecard, pointed out that protecting origin servers is a fundamental security best practice. “If X’s origin servers were exposed or lacked adequate filtering, that would be a fundamental security oversight,” Mound explained.
The situation also underscores the increasing sophistication of cyber threats targeting major tech platforms. While large websites typically have robust security measures in place to fend off such attacks, the exposure of critical infrastructure can leave them vulnerable to cybercriminals.
Ongoing Vulnerabilities and the Need for Improved Security
Despite the efforts to mitigate the attack, the exposure of X’s origin servers highlights ongoing vulnerabilities within the platform’s security posture. Experts argue that X must urgently address these issues to prevent future cyberattacks, especially given the scale of the DDoS attack and the sophisticated techniques employed by the attackers.
As for Musk’s company, it faces growing scrutiny over its security practices and its ability to protect its infrastructure. Given the rising frequency of large-scale cyberattacks, securing social media platforms has never been more crucial. The attack on X serves as a reminder that even the most well-known tech companies are not immune to the risks posed by cybercriminals.
Ultimately, the incident has shed light on the importance of proactive cybersecurity measures, including proper server shielding, robust DDoS protection, and comprehensive threat monitoring. Only time will tell whether X can recover from this breach and reinforce its defenses against future cyber threats.
