Chinese cybersecurity firm backs Elon Musk's account on DDOS attack in Trump conversation, identifies operator
XLab, part of Qi An Xin (QAX), says it observed a 50-minute attack on X in at least 34 waves by 4 botnet controllers, despite WaPo story casting doubt over Musk's claim.
The Washington Post just now (Wednesday, August 14) reported that Former X employees, experts doubt Musk claim of cyberattack on Trump talk
Former engineers at X and outside experts cast further doubt Tuesday on Elon Musk’s claim that a 40-minute delay in his Monday audio conversation with Donald Trump was caused by a “massive” cyberattack.
Musk said Monday that the technical glitches that stopped the heavily promoted episode on Spaces, X’s live audio platform, from starting on time were because of a distributed denial of service, or DDoS, attack, in which many devices send meaningless data at once to overwhelm an offering.
A senior engineer at X told an outside expert late Tuesday that there had been no evidence of an attack, the expert relayed to The Washington Post.
Other technologists also expressed skepticism, partially because a previous high-profile Spaces event — in which Florida Gov. Ron DeSantis launched his campaign for the Republican presidential nomination — also crashed when large numbers of listeners tried to join. Other parts of X kept functioning Monday, so any attack would have had to be extremely targeted.
“DDoS is certainly a plausible reason, but I think it’s unlikely, and I’d demand to see actual numbers to believe it was DDoS,” said former NSA hacker Robert Graham, a consultant and security commentator.
But XLab, part of 奇安信 Qi An Xin (QAX), one of the largest cybersecurity companies in China, reported that it indeed saw the DDOS attack.
XLab wrote yesterday (Tuesday, August 13) in its Chinese-language blogpost on WeChat
What is truly astonishing is that the social media platform X (formerly known as Twitter) itself is a globally recognized internet service provider, which should have extensive experience and relatively mature technical measures to defend against DDoS attacks. However, X still succumbed to the attack, indicating that the attackers' strategy was highly targeted and meticulously planned—calling it a "cyber sniper attack" would not be an exaggeration.
DDoS attacks, short for Distributed Denial of Service attacks, are a very traditional but highly effective form of brute force attack. The principle can be simply understood as follows: the attacker controls a large number of network devices (including servers, computers, mobile phones, IoT devices, etc.) to launch a massive amount of fake access requests to the target server, causing system congestion and paralysis, thereby preventing normal users from accessing the service.
Qi An Xin's XLab’s threat perception system detected the attack on the X platform immediately. The lab’s director, 宫一鸣 Gong Yiming, stated: “We observed that four Mirai botnet controllers were involved in the attack. Additionally, other hacker groups used reflection attacks, HTTP proxy attacks, and other methods to participate in this incident. Monitoring shows that the four botnet controllers launched at least 34 waves of DDoS attacks. The four control servers were mainly located in the UK (two), Germany (one), and Canada (one). The attacks lasted from 8:37 AM to 9:28 AM Beijing time, spanning 50 minutes, which closely matches the delay observed during the broadcast.”
The unusually long duration of the attack is a notable characteristic of this incident. Statistics show that the vast majority of DDoS attacks last only a few minutes, with some even as short as a few seconds, yet they can cause significant damage to the target system. However, this attack lasted nearly an hour, demonstrating that the attackers were clearly well-prepared and highly focused on their target.
In an English-language post entitled Behind the Scenes: A Brief Overview of the DDoS Attack on the Trump-Musk Livestream on Wednesday, August 14, XLab offered more technical details
Observations from XLab Regarding This Incident
As noted earlier, we did observe the DDoS attack incident. We identified four Mirai botnet C2s (command and controllers) involved in the attack. Additionally, other attack groups also participated using methods like HTTP proxy attacks. The attack lasted from 8:37 AM to 9:28 AM Beijing time, with a duration of 50 minutes, which closely matches the delay durations in the start time of the interview.
Mirai.zushi Attack
The four Mirai
C2s involved in the attack belong to a new mirai variant botnet we internally named Mirai.zushi
. The Mirai.zushi
botnet, a relatively new variant in the Mirai family, has been evolving since June of this year and has already infected approximately ten thousand devices. It uses RC4 encryption for communication traffic. The operators of Mirai.zushi
are associated with the social media channel . https://t.me/uglybotnet
Interestingly, we discovered on social media that the Mirai.zushi
operators claimed responsibility for generating 800G of attack traffic during this incident. Below is a screenshot of their chat records.
HTTP Proxy DDoS
In addition to the above mentioned botnet attacks, Our system also detected another highly destructive attacks. This attack involved flooding the target with massive amounts of HTTP requests, utilizing numerous proxies and VPS machines, until the target’s resources were fully exhausted. The payloads of these HTTP requests indicate a highly targeted operation, specifically aimed at Donald Trump’s personal Twitter account at https://x.com/realdonaldtrump/ The exact attack payloads are detailed below:
GET /realdonaldtrump/ HTTP/1.1
Host: x.com
Connection: keep-alive
Cache-Control: max-age=0
sec-ch-ua: "Not A(Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.7
Conclusion
The following screenshot displays all the attacks we mentioned and captured during this incident, with timestamps noted in GMT+8 (screenshot here).
[Disclosure: I have no expertise whatsoever in cybersecurity and just saw the XLab’s post and thought it would be interesting to share it. I don’t know XLab or Qi An Xin.]