Cyber Incident Victim: Canonical Ltd.

On the evening of 30 April 2026, around 6 PM UK time, Canonical’s web infrastructure began experiencing a sustained cross‑border attack that disrupted public‑facing Ubuntu services. By the morning of 1 May 2026 the outage had persisted for approximately twenty hours, with later reports indicating the disruption continued beyond twenty‑four hours. The attack affected the main Ubuntu website, the Ubuntu blog, the Snap store, Launchpad, Landscape, maas.io, jaas.ai, portal.canonical.com, contracts.canonical.com, assets.ubuntu.com, developer.ubuntu.com, academy.canonical.com, and the Ubuntu Security API endpoints for CVEs and notices. Key repository hosts such as archive.ubuntu.com, security.ubuntu.com and keyserver.ubuntu.com:11371 were reported as offline or slow, although users could still obtain Ubuntu ISO images and install updates through geographically distributed mirrors. The status page at status.canonical.com displayed the same message that Canonical posted on its website and on X, stating that the infrastructure was under a sustained cross‑border attack and that the company was working to address it, with promises of further updates through official channels.

The impact of the disruption included the inability for users to download Ubuntu distributions via the usual channels, to log into Canonical accounts, and to access the Snap store or Launchpad services. While the core Ubuntu operating system remained uncompromised, the outage hindered the delivery of security updates from the primary security repository, though mirror‑based updates continued to function normally. Canonical did not provide technical details of any mitigation measures beyond acknowledging the attack and committing to communicate further information as it became available. The group identifying itself as The Islamic Cyber Resistance in Iraq – 313 Team, also described as a pro‑Iran hacktivist faction, claimed responsibility via its Telegram channel, initially stating the attack would last four hours but later indicating it would continue unless Canonical responded to an extortion message that included a Session Contact ID. The attackers said they were using a DDoS‑for‑hire service called Beamed (also referred to as Beam or a booter/stresser) that claims to generate traffic exceeding 3.5 Tbps. The same group had previously claimed DDoS attacks on eBay’s Japan and US divisions and on BlueSky. Shortly before the outage, researchers disclosed a vulnerability nicknamed “Copy Fail” involving a 732‑byte Python script that could obtain root on many Linux distributions, but no evidence linked this vulnerability to the DDoS incident, and Canonical characterized the event as a sustained cross‑border attack rather than a vulnerability‑driven breach. Law‑enforcement agencies such as the FBI and Europol have historically targeted similar booter services, though the attack remained ongoing at the time of the reported updates.