Apple Inc.’s iCloud service in China was attacked by government-backed hackers, according to Greatfire.org, which monitors Internet censorship in the country.
A man-in-the-middle attack, where hackers position themselves between users and computer servers, was conducted by Chinese authorities, Greatfire wrote in a blog post. Not all users in China are affected because the attack is only staged against one of multiple Internet protocol addresses used by iCloud, it said.
“Apple is deeply committed to protecting our customers’ privacy and security,” Trudy Muller, an Apple spokeswoman, said today. She declined to comment on Greatfire’s report that the attack was conducted by China-backed hackers.
China’s State Council Information Office didn’t immediately respond to a faxed request for comment.
This week’s attack, aimed at gaining usernames and passwords, is at least the second that Greatfire has outlined in the past month by which China utilizes a man-in-the-middle strategy against Western websites. Facebook Inc.’s Instagram was blocked last month while Chinese messaging services including Tencent Holdings Ltd.’s WeChat are also controlled.
Successful implementation of the iCloud attack would allow access to data including messages, photos and contacts, Greatfire said. Customers should take note of security warnings, use a trusted browser and enable two-step verification to mitigate the threat, Greatfire said.
Political Tension
“If users ignored the security warning and clicked through to the Apple site and entered their username and password, this information has now been compromised by the Chinese authorities,” Greatfire said.
Muller said in her statement that the company is “aware of intermittent organized network attacks using insecure certificates to obtain user information, and we take this very seriously.” She referred users to a company website that detail how people can verify that their browser is securely connected to iCloud. The website advises consumers to “never enter their Apple ID or password into a website that presents a certificate warning.”
In August, Apple said it will shift user data onto servers run by China Telecom Corp., with the information to be encrypted. The latest iPhones gained approval for sale in China last month after Apple agreed to improve user security and privacy. Apple subsequently said pre-orders set a record in the country. The devices debuted in China on Oct. 17.
In May, U.S. prosecutors announced the indictments of five Chinese military officers for allegedly hacking into the computers of American companies, escalating tensions between the countries about cyber-security.
Apple last month said it will add new security features to iCloud after the accounts of celebrities using its services were hacked and photographs of them were posted on the Internet. The Cupertino, California-based company said people will receive e- mails and other alerts on their iPhones and iPads if an effort is made to change a password, log in from a new device or restore files.