Pointing finger at Ukraine after X outage is ‘dangerous’, cyber expert says

It would be “dangerous to point the finger” at Ukraine after Elon Musk said X’s outage had links to the country, a cybersecurity expert said.

Mr Musk said the social media platform was being targeted in a “massive cyberattack”, telling Fox Business Network that the attackers had “IP addresses originating in the Ukraine area”.

Complaints about outages spiked around 11am UK time on Monday, and again four hours later, with more than 40,000 users reporting no access to the platform, according to tracking website Downdetector.com.

Jake Moore, global cybersecurity adviser at software security firm Eset, told the PA news agency that he is “confident” it was a distributed denial-of-service (DDoS) attack, which involves multiple IP addresses flooding a server or website with internet traffic.

He went on: “Unfortunately, X remains one of the most talked about platforms making it a typical target for hackers marking their own territory.

“All that can be done to future proof their networks is to continue to expect the unexpected and build even more robust DDoS protection layers.

“IP addresses can also be directed via software to be seen to have originated anywhere in the world.

“Therefore, even if their analysis suggests Ukraine, it would be dangerous to point the finger so early on.”

Mr Moore added that “simple analysis” of the IP addresses would point towards their location, but that this can be “tampered with” to make it seem that the origin is in a different country.

Dan Card, a cyber expert from BCS – The Chartered Institute for IT, said: “The idea that someone can attribute this to Ukraine or the Ukraine area in that timeframe or at all – given the nature of DDoS/DoS attacks and architecture – is fantasy.”

He added: “It’s possible that Elon Musk is attributing it to Ukraine for political and business reasons, but Musk’s attribution statement is doubtful – based on the timeframe and source.”

The former chief executive of the National Cyber Security Centre (NCSC), Ciaran Martin, told BBC Radio 4’s Today programme that it was a “remarkable incident”.

Mr Martin said: “I am very surprised that X fell over as a result of a DDoS attack, it’s a very large-scale DDoS attack but it’s not that sophisticated, it’s a very old technique.”

He said that he could not think of an example of a company the size of X “falling over” due to a DDoS attack “for a very long time”, adding that it “doesn’t reflect well on their cybersecurity”.

Mr Martin said that Mr Musk’s claim that the attack had links to Ukraine was “wholly unconvincing based on the evidence so far” and “pretty much garbage”.

“Like all DDoS attacks, the effect is temporary, and so users to X this morning may well not spot anything wrong at all.

“Importantly, these sorts of attacks are almost always delivered by botnets. Globally distributed networks of computers that have been unknowingly recruited to take part in the attack – typically through some form of compromise or the use of malware.”

Meanwhile, David Mound, of third-party risk management platform SecurityScorecard, said: “Beyond technique evolution, DDoS motivations are shifting.

“Hacktivism has resurged, with groups like Killnet and Anonymous Sudan launching politically motivated disruptions against governments, financial institutions, and infrastructure providers.

“Meanwhile, ransom DDoS campaigns have increased, with attackers extorting businesses by threatening prolonged downtime.

“Nation-state actors are also employing DDoS as part of broader cyber influence and disruption campaigns, particularly in geopolitical conflicts.”

Mr Musk, who is acting as an adviser on federal spending to Donald Trump, previously said Ukrainian president Volodymyr Zelensky is running a “fraud machine feeding off the dead bodies of soldiers”, suggesting limited appetite for continued American support for Ukraine.

The Tesla CEO bought the site, formerly Twitter, in 2022.