Iranian 313 Team DDoS'd Ubuntu Servers for 4 Days in May 2026

The Iranian hacktivist group 313 Team launched a sustained distributed denial-of-service attack against Canonical's Ubuntu infrastructure from May 1 through May 4, 2026. The attack disrupted Ubuntu package downloads, Launchpad (Ubuntu's development and bug tracking platform), and the Ubuntu snap store for periods of between 4 and 18 hours across the four-day window. 313 Team posted an extortion demand on May 2 — Canonical did not pay.

Canonical confirmed the incident on May 5 after service was fully restored. The company described the attack as "a sustained volumetric DDoS campaign with extortion elements." No data breach, no package tampering, and no infrastructure compromise were identified.

Who Are 313 Team

313 Team is an Iranian-linked hacktivist collective that has been active since at least 2023. The group is ideologically motivated — its public communications reference resistance to Western influence and support for Palestinian causes — but operates with tactical sophistication more associated with state-sponsored groups than typical hacktivist crews.

The name is a reference to the number 313, which holds significance in Twelver Shia eschatology. The group first gained significant attention for attacks on Israeli industrial control systems in 2023 and has since broadened to targeting Western technology and media infrastructure.

313 Team's capability set is notable: the DDoS campaigns it runs are multi-vector (combining application-layer exhaustion with volumetric amplification), which requires access to a substantial botnet or rented DDoS-as-a-service infrastructure. The group is assessed by several threat intelligence firms as having passive backing from Iranian state actors, though it maintains plausible independence from official attribution.

Prior targets include Israeli power grid monitoring systems (2023), a UK financial data vendor (late 2024), and a French government open data portal (early 2025). Ubuntu is the highest-profile target in its Western technology campaign to date.

What Was Disrupted

The attack vector was volumetric flooding of Canonical's package mirror infrastructure and the Launchpad web servers. The group did not attempt to inject malicious packages or compromise the cryptographic signing infrastructure — the attack was purely availability-focused.

Developer impact during the attack window:

apt package installation: The primary Ubuntu package archive (archive.ubuntu.com) was intermittently unreachable. apt update and apt install commands timed out or returned connection refused errors. CI/CD pipelines that install packages from Ubuntu's default mirrors during build steps failed or required manual intervention to switch to regional mirrors.

Launchpad: Bug reports, code reviews, and Ubuntu PPA (Personal Package Archive) operations were unavailable for approximately 18 hours across the four-day period. Ubuntu developers maintaining packages and triaging bugs in Launchpad lost productivity during the outage windows.

Snap Store: Canonical's snap package distribution was disrupted intermittently. snap refresh and snap install commands failed during peak attack periods.

What was not disrupted: The Ubuntu ISO download infrastructure (cdimage.ubuntu.com) uses separate CDN routing and was not meaningfully affected. Ubuntu cloud images on AWS, Azure, and Google Cloud were unaffected — cloud providers cache images internally and do not pull in real time from Canonical's infrastructure.

The Extortion Demand

313 Team posted a message on May 2 via Telegram claiming responsibility and demanding payment to stop the attack. The amount demanded was not disclosed by Canonical. The group framed the demand within the context of UK government support for US military operations — the attack is presented as political retaliation rather than financially motivated crime.

Canonical's response was to not engage with the demand and to proceed with mitigation. This is the standard recommended response and consistent with UK government guidance on ransomware and extortion payments.

How Canonical Restored Service

Canonical activated its upstream DDoS mitigation provider (Cloudflare's DDoS protection layer, which Canonical uses for edge protection) to filter volumetric traffic. The attack was large enough to saturate the mitigation layer during peak periods, causing the intermittent outages throughout days 1-3. By day 4, traffic filtering rules were tuned sufficiently to maintain service continuity even as 313 Team continued the attack.

For developers who were affected, the workaround during the attack was to configure apt to use regional mirrors rather than the primary archive. Ubuntu maintains a list of official regional mirrors at launchpad.net/ubuntu/+archivemirrors — switching the sources.list to a geographically local mirror bypassed the attacked infrastructure.

The Broader Pattern

This attack fits a pattern that has been escalating since the Iran-US-Israel conflict intensified in early 2026. 313 Team and affiliated Iranian hacktivist groups have shifted from targeting Israeli and Middle Eastern infrastructure to targeting Western technology infrastructure as a pressure campaign against countries perceived as supporting US military operations against Iran.

The UK has been a specific focus — Canonical is a UK-registered company (CEO: Mark Shuttleworth operates from London), and 313 Team has explicitly called out UK companies in its public messaging.

Ubuntu is used by approximately 80% of cloud deployments that run Linux. A sustained multi-day attack on Canonical's package infrastructure is a meaningful disruption to the global developer ecosystem even if no data is stolen and no packages are tampered with. The 313 Team operation demonstrates an understanding of which chokepoints in software supply chains generate maximum developer-facing disruption without requiring actual system compromise.

The more significant risk is an escalation from availability attacks to supply chain attacks — attempting to inject malicious code into packages rather than just disrupting downloads. Canonical's package signing infrastructure uses hardware security modules and is architecturally separated from the distribution infrastructure that was attacked. The current attack did not reach that layer, but it is the threat model worth defending against if 313 Team's capabilities continue to expand.

Key Takeaways

• 313 Team DDoS on Canonical: May 1-4, 2026; Iranian hacktivist group; sustained volumetric DDoS on Ubuntu package mirrors, Launchpad, and Snap Store; no data breach, no package tampering, no supply chain compromise
• Developer impact: apt package installation failed intermittently; Launchpad down ~18 hours total; snap install disrupted; CI/CD pipelines that pull from Ubuntu default mirrors were affected
• Workaround: Switch apt sources.list to a regional mirror (launchpad.net/ubuntu/+archivemirrors) to bypass the attacked infrastructure
• Extortion demand: 313 Team demanded payment May 2; Canonical did not pay; standard guidance against engaging with extortion demands
• Attribution: 313 Team assessed as Iranian hacktivist with passive state backing; targets Western tech and media as retaliation for UK/US support of military operations against Iran
• Escalation risk: Current attack is availability-focused; the higher-threat scenario is a pivot to package injection attacks — Canonical's signing infrastructure is architecturally separated and was not compromised in this incident

For the ConnectWise RCE with a CISA deadline, read CVE-2026-32202: ConnectWise ScreenConnect RCE — CISA KEV May 12 Deadline. For the broader Iran cyber and geopolitical context, read Iran War Powers Resolution: $25B Cost, UAE OPEC Exit, Brent $112.