Apple Inc.'s iCloud service for users in mainland China has been
hit by an attack that could allow perpetrators to intercept and see
usernames, passwords and other personal data, activists and
security analysts said.
Though the perpetrator's identity was unclear, the attack came
as tensions between the U.S. and Chinese governments have simmered
over accusations of cyberespionage and hacking attacks. The online
censorship watchdog GreatFire.org claimed Chinese authorities were
behind the attack, though other experts said the source couldn't be
determined. A spokeswoman for China's Foreign Ministry said she was
unaware of the matter and reiterated Beijing's position that it
opposes cyberattacks.
Apple said in a statement on its website that it is aware of
"intermittent organized network attacks" aimed at obtaining user
information from iCloud.com. The company added that the attacks
don't compromise the company's iCloud servers and don't affect
iCloud sign-in on Apple devices running its iOS mobile software or
Macs running OS X Yosemite using its Safari browser.
Apple said users should not sign into iCloud.com if they receive
a warning from their browser that it is not a trusted site. This
suggests that the user has been compromised.
Apple did not mention China in its statement.
Concerns about the iCloud service in China began to emerge over
the weekend when tech-savvy Chinese Internet users--seeing warning
messages on their Internet browsers--raised suspicions in online
discussion groups that the iCloud server's communications with
users in China had been compromised.
Taiwan-based Chinese Internet activist Zhou Shuguang tested the
service and found that communication channels between iCloud users
and the iCloud server had been hijacked by an attacker in what is
known as a "man-in-the-middle" tactic, Mr. Zhou said. Separately,
Erik Hjelmvik, an analyst with Netresec AB, a
network-security-software vendor in Sweden, said Tuesday he
reviewed data posted online by Chinese Internet users and arrived
at a similar conclusion.
"It's evident that it's quite massive," Mr. Hjelmvik said. He
said the perpetrators were able to attack users in different parts
of China who used different Internet service providers. "The attack
was quite sophisticated in that they apparently have quite a huge
system set up in order to be able to intercept on such a large
scale."
The attack meant unauthorized parties would be able to decrypt
the communication between iCloud users and the server, analysts
said. This puts the iCloud users' usernames, passwords, files,
pictures and contacts at risk of being seen unencrypted.
Security analysts said the attack seen in China required the
perpetrator to have decent links to the country's Internet service
providers. "If this is true, and given the man-in-the-middle attack
being done at this level, we can assume this is not the work of a
script kiddie trying to prove and boast his hacking skills," said
Goh Su Gim, Asia Pacific security adviser for F-Secure, a Finnish
online security firm. "The attackers are more professional in this
case, and could be the work of a group, a syndicate or even
nation-state sponsored."
Activists like GreatFire.org accused the Chinese government of
the attack. But some security analysts raised skepticism that
Beijing, with sizable resources at its disposal, would order an
attack that is so easily detected.
"This doesn't seem like the sort of attack an adversary with the
resources of a government would attempt, since connecting users
would see a very obvious security warning from their browser. It's
more likely the sort of attack you'd see from someone with limited
resources," said Kevin Milner, a researcher working on Internet
infrastructure security at Oxford University.
The attack is the latest blow to Apple after a leak of celebrity
photos from its iCloud system last month raised concerns about
whether the service provides sufficient security. Analysts pointed
out that the reports of the attack surfaced around the time of the
launch in China of Apple's latest iPhone, equipped with stronger
encryption. In the wake of revelations by former National Security
Agency contractor Edward Snowden, Apple said it would use
encryption on its phones that would prevent law enforcement from
retrieving data on them.
Similar attacks have been reported in recent months affecting
Chinese-based users accessing Google Inc. through a particular
network, as well as Microsoft Corp.'s Hotmail services. Google and
Microsoft didn't respond to requests for comment.
Subscribe to WSJ: http://online.wsj.com?mod=djnwires