Apple can’t seem to catch a break lately. Yesterday we noted the latest WikiLeaks release which exposed yet another CIA spying scandal, this time revolving around efforts to bug “factory fresh” iPhones before they even reach the hands of consumers (see “Wikileaks Releases “NightSkies 1.2”: Proof CIA Bugs “Factory Fresh” iPhones“).
Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.
While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.
Today, courtesy of CIO, we learn that a group of hackers referring to themselves as the “Turkish Crime Family”, has been in direct contact with Apple and is demanding a $150,000 ransom by April 7th or they will proceed to wipe as many as 600 million apple devices for which they allegedly have passwords.
The group said via email that it has had a database of about 519 million iCloud credentials for some time, but did not attempt to sell it until now. The interest for such accounts on the black market has been low due to security measures Apple has put in place in recent years, it said.
Since announcing its plan to wipe devices associated with iCloud accounts, the group claimed that other hackers have stepped forward and shared additional account credentials with them, putting the current number it holds at over 627 million.
According to the hackers, over 220 million of these credentials have been verified to work and provide access to iCloud accounts that don’t have security measures like two-factor authentication turned on.
Of course, if credible, with an ask of just $150k, this is the most modest group of hackers we’ve ever come across.
News website Motherboard reported seeing alleged emails between the hackers and Apple in which a member of the company’s security team said that the company does not plan to reward cybercriminals for breaking the law and that the communications have been archived and sent to the authorities.
Meanwhile, the hackers apparently told CIO the ransom demand was intended to “spread awareness” for their ‘boys’ who got caught up in the Yahoo hacking scandal and likely face severe sentences.
“We are doing this because we can and mainly to spread awareness for Karim Baratov and Kerem Albayrak, which both are being detained for the Yahoo hack and one of them is most probably facing heavy sentencing in America,” a representative for the group said via email. “Kerem Albayrak on the other hand is being accused of listing the database for sale online.”
The representative said that the group’s members are originally from Istanbul, Turkey, but that they now “rep” Green Lanes, an area in North London.
Karim Baratov, a Canadian national, was indicted last week for allegedly hacking into email accounts at various email providers at the request of two officers from the Russian Federal Security Service, the FSB. The same indictment accuses the two FSB officers and a Russian hacker for breaking into Yahoo’s infrastructure and gaining access to over 500 million Yahoo accounts.
As a concluding note, and not to suggest in any way that we’re experts on the subject matter, we would tend to question the underlying ‘value’ of a password database that could be rendered instantly useless by a forced password update from Apple…just a thought on negotiating tactics for future reference.