Compliance Management, Incident Response, Privacy, TDR

Chinese MitM attack targets iCloud users


Millions of China-based Apple device users could have had their information compromised in a man-in-the-middle (MitM) attack earlier this week that some experts believe the Chinese government was behind.

The nationwide attack, aimed at intercepting users' iCloud login credentials and personal data, coincided with the launch of the iPhone 6, according to, a Chinese nonprofit group. An unknown party impersonated and was able to spy on users' actions if they clicked through their browser's phony certificate warning.

Although this type of attack wasn't surprising, said Percy Alpha, a pseudonym for a member of's team, in an email to, it was noteworthy because it targeted user data, whereas previous Chinese MitM efforts went for non-user information pages.

Beyond the targeting of user data, this attack affected an incredibly large group of people, which would require immense access to China's networks, said Jean Taggart, security researcher at Malwarebytes Labs in a Thursday interview with

“It would be difficult to achieve this attack if you didn't control the underlying infrastructure,” he said. “We can't say 100 percent, but there's a good indication that this was an effort by the Chinese government to access the data.”

The unknown attacker targeted one specific IP address, on which a self-signing certificate was implemented. Users' browsers should have warned them that the connection wasn't valid; however, indicated that at least one of the country's most popular browsers doesn't issue the warnings. Some of its users could have had their accounts compromised.

To some, the correlation between the attack's timing and the release of the iPhone 6 didn't seem coincidental. The phones have encryption enabled by default, and U.S. government organizations, including the Federal Bureau of Investigation (FBI), have already denounced Apple's encryption decision. The organization argues that law enforcement will be unable to access critical data to catch a wanted criminal or to respond to an emergency. China's stance isn't much different, said Steve Hulquist, chief evangelist at RedSeal Inc.

“In some ways, I was surprised at all the shock (around the attack),” he said in an interview with “It seemed to be a very natural thing to see happen. I would almost expect it. But it really was a surprise that they (the attackers) were so obvious.”

China's government feels it should be able to access its citizens' data whenever it wants, he said. “The right to privacy doesn't exist everywhere,” he said.

Following the attack, Apple posted a support page about its security. The company didn't mention China explicitly in the post, although it did discuss digital certificate security and ensuring secure logins. The post, available only in English and Chinese, walks users through various browsers and how to tell whether a certificate is valid. Additionally, Apple changed's DNS in China and the company's CEO Tim Cook visited the country following the attack, according to Xinhuanet, a Chinese news site.

As far as continuing to protect against MitM attacks, researchers suggested using a VPN service and being hyper aware of internet connections when in China.

“The battle to capture data moving into and out of totalitarian government regulated areas is going to happen forever,” Hultquist said. “That type of battle is just going to continue to escalate.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.