An Iran-linked hacktivist group, the “Islamic Cyber Resistance in Iraq 313 Team,” hit Canonical with a sustained DDoS attack starting approximately April 30, 2026, paired with a Session-channel extortion demand reported by VECERT.
Key Points
- Canonical labelled the incident a “sustained, cross-border attack” on its status page and had not publicly acknowledged the ransom demand at first major coverage on May 1, 2026.
- The 313 Team claimed responsibility through threat-intelligence account VECERT Analyzer and delivered an extortion message via a Session messenger ID, warning servers would stay offline if ignored.
- Affected services included ubuntu.com, security.ubuntu.com, lists.ubuntu.com, login.ubuntu.com, the Snap Store, Snapcraft, Launchpad, maas.io, Livepatch API, and Landscape, while Ubuntu APT mirrors and ISO downloads stayed online.
- The Hacker News submission tracking the outage was titled “Canonical/Ubuntu have been under DDoS for more than 15h” by the time it surfaced on the front page.
- The 313 Team is an Iran-linked hacktivist group with assessed ties to Iran’s Ministry of Intelligence and Security (MOIS), per a March 2026 HawkEye threat advisory.
What Happened?
The DDoS incident began around 6 PM UK time on April 30, 2026, affecting multiple Canonical services simultaneously. Canonical described the incident as a “sustained, cross-border” attack on its status page, indicating volumetric disruption rather than a traditional breach. PiunikaWeb reported the outage had run for over 14 hours by the time of its May 1, 2026 article, with attack onset at approximately April 30, 2026.
Affected services included the Ubuntu main website and associated domains (lists.ubuntu.com, security.ubuntu.com, login.ubuntu.com), the Snap store and Snapcraft website, Launchpad and maas.io, Canonical’s portal and contracts subdomains, and Livepatch API and Landscape services. Ubuntu APT repositories stayed operational because they are distributed across multiple locations, and OS ISO downloads remained available via mirrored repositories. The Ubuntu operating system itself remained uncompromised.
A hacktivist group calling itself “The Islamic Cyber Resistance in Iraq 313 Team” claimed responsibility via threat intelligence account VECERT Analyzer.
Canonical’s web infrastructure is under a sustained, cross-border attack and we are working to address it.
— Ubuntu (@ubuntu) May 1, 2026
We will provide more information in our official channels as soon as we are able to.
Who Is the 313 Team?
The 313 Team, also known as 313 Team Hack Team or Islamic Cyber Resistance, is an Iran-aligned hacktivist group with assessed ties to Iran’s Ministry of Intelligence and Security (MOIS), per a HawkEye threat advisory dated March 2026. The advisory notes the symbolic name references a 1969 Palestinian political cartoon character created by Naji al-Ali, and the group was first observed in December 2023, shortly after the Gaza conflict onset.
HawkEye’s catalogue of documented prior attacks names a June 2025 Truth Social DDoS campaign, a December 2023 sustained DDoS campaign against Saudi Arabia’s Absher platform, a February 2026 operation hitting 26 Kuwaiti government IP domains, and a March 2026 coordinated GCC campaign covering Saudi banks, Kuwait International Airport, and telecom operators.
The advisory describes the group’s primary TTPs as “wiper malware, data theft, phishing, extortion, and website defacement,” with a doctrine that emphasises visibility and psychological impact over technical sophistication. HawkEye documented over 250,000 messages across 313 Team’s affiliated Telegram networks used for announcements, target lists, proof screenshots, and coalition coordination.
The Canonical incident is the first time the group has publicly attacked a major open-source infrastructure operator rather than a social platform, government portal, or healthcare target. See also Bluesky’s day-long outage in mid-April, where the group claimed credit through Telegram.
Inside the Extortion Demand
According to VECERT, the 313 Team “sent an extortion message directly to the Ubuntu team with a Session ID to negotiate an end to the attack,” warning servers would remain offline if Canonical ignored them. Canonical had not publicly acknowledged the ransom demand at PiunikaWeb’s May 1, 2026 publication time, with the attack onset approximately April 30, 2026.
Session is a metadata-minimising messenger that uses random IDs, a common channel for ransom negotiations. The Canonical demand stops short of naming a monetary figure.
On Bluesky, the 313 Team similarly “flooded the site’s API with junk traffic to jam the system, successfully cutting the communication lines,” per Hackread’s April 22, 2026 reporting by Deeba Ahmed. Bluesky confirmed on April 20 that no data breach occurred and no evidence of unauthorized user data access surfaced during the attack.
Patch-Channel Fallout
PiunikaWeb noted the outage coincided with disclosure of a critical Linux vulnerability nicknamed CopyFail, preventing administrators from accessing security patches through normal channels during the multi-hour window. Canonical’s affected surface included the Livepatch API and security-related subdomains, the same systems Ubuntu hosts use to fetch CVE notices and patch metadata.
The mirror-versus-API distinction matters: APT package fetches still resolved, but the Security API delivering Ubuntu Security Notices and CVE data is not mirrored the same way, converting a website outage into patch-window leverage.
The April 2026 Hacktivist Surge
Bluesky experienced a distributed denial-of-service attack beginning April 15, 2026, at approximately 11:40 PM PDT, lasting roughly 24 hours. Four days after the Bluesky attack, the 313 Team similarly attacked mastodon.social, though its distributed infrastructure limited damage.
The targets are consistent with hacktivism that picks Western platforms whose downtime generates Western press coverage. Iran-linked operations against Western infrastructure are not new for 313 Team specifically, given HawkEye documented June 2025’s Truth Social DDoS attack as a prior US-target operation.
SQ Magazine’s Takeaway
The Canonical incident shows what happens when hacktivists pick infrastructure rather than headlines as the target. Ubuntu’s package mirrors saved most production hosts from being unable to install software, but the security API outage left the patch-decision surface degraded for hours, which is the part of the stack administrators actually rely on during a fresh-disclosure window.
The CopyFail timing collision makes the leverage real: when CVE notices stop flowing at the same moment a critical Linux vulnerability lands, the attack converts from a public-relations event into something with a measurable security cost. Canonical’s “sustained, cross-border” framing telegraphs this is not a single-source flood, and the group’s documented Telegram coordination channels are consistent with that read.
