China Attack Aims at iCloud, Apple’s Service for Storage

By PAUL MOZUR, NICOLE PERLROTH and BRIAN X. CHEN.OCT. 21, 2014

The New York Times

HONG KONG — For Apple in China, trouble seems to be the new normal.

Cybersecurity monitoring groups and security experts said on Monday that people trying to use Apple’s online data storage service, known as iCloud, were the target of a new attack that sought to steal users’ passwords and then spy on their activities.

Starting over the weekend, when many users across China tried to sign into their iCloud accounts, they may have been giving away login information to a third party, in what is called a man-in-the-middle attack.

“You think you are getting information directly from Apple, but in fact the authorities are passing information between you and Apple, and snooping on it the whole way,” said a spokesman for an independent censorship-monitoring website, GreatFire, who declined to be named because of fear of reprisal.

The back-end I.P. address targeted by the attack was changed Tuesday by Apple, according to a tweet from GreatFire.

News of the vulnerability came just as the new iPhone 6 arrived in Chinese stores after a monthlong regulatory delay tied, in part, to concerns about the phone’s security.

Activists and security experts say they believe the attacks are backed by the Chinese government because they are hosted from servers to which only the government and state-run telecommunications companies have access, according to GreatFire. They are also similar to recent attacks on Google, Yahoo and Microsoft aimed at monitoring what users were retrieving on the sites.

“All signs point to the Chinese government’s involvement,” said Michael Sutton, vice president for threat research at Zscaler, a San Jose, Calif., security company. “Evidence suggests this attack originated in the core backbone of the Chinese Internet and would be hard to pull off if it was not done by a central authority like the Chinese government.”

The targeting also potentially reveals a new Chinese government effort to adapt to initiatives by Internet companies — most notably new encryption techniques — to protect user data from government spying.

“The Chinese government could no longer sniff traffic, so they intercepted that traffic between the browser and the iCloud server,” Mr. Sutton said.

Chinese officials could not immediately be reached for comment.

Many web browsers, like Apple’s Safari, Google’s Chrome and Mozilla’s Firefox, flashed a warning to users that a so-called encryption certificate that is supposed to identify who is on the other end of a web session should not be trusted. That indicated that users were inadvertently communicating with the attackers, rather than iCloud. In effect, the hackers stepped into the middle of the online conversation.

Mr. Sutton noted that Qihoo, a browser offered by the Qihoo 360 Technology Company that is popular in China, did not flash a warning to users.

“As more sites move to encryption by default — which prevents the censorship authorities from selectively blocking access to content — the Chinese authorities will grow increasingly frustrated with their ability to censor that content,” said the GreatFire spokesman.

“In some ways their hands are being forced. They can attempt these man-in-the-middle attacks or choose to outright block access to these sites. The more sites they block, the more they cut off the Chinese populace from the global Internet,” he added.

The timing of the attack, aligned with the release of the new iPhone in China, is a potential indicator that the government is trying to harvest sign-in data from a large number of users who are switching over to the iPhone 6. The new phone comes with better encryption to protect against government snooping.

In September, Apple, based in Cupertino, Calif., said its latest operating system, iOS 8, included protections that made it impossible for the company to comply with government warrants asking for customer information like photos, emails and call history.

The change prompted the Federal Bureau of Investigation director, James B. Comey, to say in a recent speech that new encryption by Apple and others “will have very serious consequences for law enforcement and national security agencies at all levels.”

“Sophisticated criminals will come to count on these means of evading detection,” Mr. Comey said.

In August, Apple began storing data for iCloud on servers in China in a move it said was intended to enhance performance of the service there. The company said the state-owned service provider China Telecom, which owns the servers where the data is stored, did not have access to the content.

But security experts say it appears that Beijing has found a workaround, by coordinating man-in-the-middle attacks on a mass scale.

Apple on Tuesday acknowledged a network attack, but clarified that its iCloud servers were not breached. On a security webpage, it implied that man-in-the-middle attacks were being used to direct people to fake connections of iCloud.com, making their user names and passwords vulnerable to theft.

On the webpage, Apple explained how people could distinguish an authentic iCloud.com site from a fake one. Basically, users will receive warnings when the browser detects a fake certificate or an untrusted connection. Apple advised people to heed those warnings and avoid signing in.

“Apple is deeply committed to protecting our customers’ privacy and security,” said Trudy Muller, an Apple spokeswoman. “We’re aware of intermittent organized network attacks using insecure certificates to obtain user information, and we take this very seriously.”

Ms. Muller declined to comment on whether Apple had identified the Chinese government as the source of the attacks.

Security experts said users should not visit websites if they receive a browser warning. Mr. Sutton also advised users to turn on two-factor authentication whenever possible, a procedure in which a user is prompted to enter a second one-time password that has been texted to the user’s phone. That way, he said, even if an attacker intercepts a password, they cannot use it to log into a site without the second password. “Users should treat this seriously,” Mr. Sutton said.

Paul Mozur reported from Hong Kong, and Nicole Perlroth and Brian X. Chen from San Francisco.