In the second half of March a story of an ongoing attempt to extort Apple was reported by the media. A malicious actor named Turkish Crime Family (TCF) claimed to be in possession of 300m (later increased to more than 600m) credentials to the Apple’s iCloud service. The extortionist threatened that unless the company pays $100k (later increased to over $400k) the credentials will be used to reset of clients’ iCloud accounts and initiate remote deletion of related Apple devices.
TCF contacted multiple media outlets to publicise its extortion attempt. The threat actor provided journalists with samples of credentials to substantiate the threat. The deadline for paying ransom was set for April 7th. Apple officially refused to pay the ransom, considering the threat not to be credible. Following expiration of the deadline, the TCF claimed that the company has made the payment.
Long before the deadline experts were able to point out that the extortion attempt lacked credibility:
- The TCF was a relatively obscure actor with no established credibility for such high-profile attacks, i.e. ability to achieve a massive (+600m) data breach from a blue-chip company
- The erratic behaviour of TCF’s representatives (e.g. changes to the terms of the deal, replacement of the “spokesperson”, various inconsistencies with previous claims) suggested the group has no plan and lacks experience
- Most of the sample credentials provided by the TCF to substantiate the threat were identified as originating from previous data breaches of other online service providers. It suggests that TCF most likely purchased some previously compromised credentials which were also valid for the iCloud service (i.e. this situation happens when the same password and login name is used for multiple online services)
- The time to comply with the ransom request was relatively long (more than two weeks if counted from initial media coverage) which gave Apple a lot of time to investigate the matter and, if necessary, implement countermeasures
- The ransom amount ($100k – $400k) represented a fraction of the black market value of the asset
- Apple could introduced countermeasures (e.g. restricting new logins, ) to significantly mitigate the risk of data deletion and was also in control of the infrastructure to monitor for suspicious activity
Given the evidence, experts saw the attack as an amateurish extortion attempt and most likely a hoax. However if we look closer at the case we can identify several alternative objectives for which the attack design applied by the TCF could be used.
Alternative objectives which could be pursued with the same attack design
Note that we’re assuming here, as was actually the case, that the malicious actor has only a handful of valid credentials and the extortion is based largely on a bluff
Alternative Objective 1: generate negative media coverage for Apple
Inevitably the attack generated negative publicity for Apple. Regardless of the actual situation the company’s name was used in an unfavourable context, i.e. being a potential victim of a massive compromise of clients’ credentials. The publicity was a function of three factors. First, the attacker made the extortion attempt public. Second, the magnitude of the claim (i.e. hundreds of millions of compromised accounts) made an attractive story for journalists to cover. Third, the long deadline to comply with ransom payment provided ample time for the topic to spread in media. It also provided more time for the experts, semi-experts and non-experts to speculate about the attack. As commentators have incentives to generate various hypotheses such media chatter is likely to create perception of the threat to be more credible than it really is. At the same time there was no way for Apple to provide a decisive proof that the threat is a hoax.
Alternative Objective 2: catalyse a “flash-crash” of Apple’s share price
The AO 2 is closely related to AO 1. The malicious actor might have hoped to generate a brief panic among Apple’s shareholders which could be exploited financially. Malicious actor might have hope that the share price might crash after confirmation that the sample credentials provided to back up the threat are valid. The market could then temporarily overreact based on the extent of potential damage (e.g. impact to company’s reputation, cost of litigation, and potential regulatory fines). The reaction could be exacerbated by quantitative trading programs which react to price movement and occurrence of specific key words in the media (e.g. “Apple” + ”breach”).
Alternative Objective 3: distract and tie-up resources of the Apple’s security team
The attack might have also served to create a diversion to absorb resources of Apple’s security team. The potential impact of the threat, even if seen as a low-likelihood event is likely to generate pressure from the management to “double and triple-check” the situation with regards to current and past activity. The situation of extensive media coverage creates an additional incentive for the management to over-allocate resources to investigate and prevent the threat. Such diversion of resources could possibly improve odds for launching another type of attack.
Alternative Objective 4: provoke Apple to introduce new security countermeasures
Even though it may seem paradoxical on first thought, the malicious actor might actually seek to force Apple to introduce new security measures in response to the threat. Such measures could include e.g.: blocking new logins, or setting new unique resets for each account.
While such countermeasures would greatly reduce the risk, they would also expose Apple to several non-trivial negative consequences. First of all, let’s note that the company would by default have to publically communicate introduction of new security countermeasures. Such significant operation would naturally attract even more media attention to the case.
More importantly by introducing new security measures Apple would actually be signalling that the threat has some degree of credibility. This could actually transform the media narrative about the event from one of “possible hoax” to one of “possible breach”. That in turn would result in more negative media coverage. If the extortionists indeed had millions of valid iCloud credentials then some accounts might have already been compromised. This would only fuel the speculation about negative consequences for the company and possibly lead to overreaction possibly including a negative impact on Apple’s share price.
Introduction of new security measures would also cost the company and tie additional resources of the security team. It would also create an inconvenience for the clients, who apart from being now more scared that the private data on their accounts might have been already compromised, would have to make an additional effort to implement the new security measure. Even if it would be a simple forced password reset one should not trivialise the impact of such events on consumer satisfaction, especially in a very competitive industry. The result could be erosion of clients’ goodwill which would make similar situations in the future more costly for the company (e.g. imagine growing negative impact on customer satisfaction if a company repeatedly exposes clients to extraordinary changes in security practices).
Introduction of new security measures would also create a benchmark for similar situations in the future. Apple would effectively lower the response threshold and create a situation where similar countermeasures, with all ensuing costs, could be triggered by low-credibility threats, which could take a significant toll on company’s performance.
The analysis above represents just an intellectual experiment. The key takeaway is that the attack design used by the TCF offered some attractive optionality in terms of multiple objectives which could be pursued in synergistic (e.g. achievement of AO 4 would make realisation of AO 1 – 3 more likely for the malicious actor) and non-mutually exclusive fashion and to some extent in a synergistic fashion. The attack design was also very cost effective as the main expense for the perpetrator was the purchase of a handful of previously compromised credentials to be used as “proof” that the threat is credible. The attack also did not require advanced hacking skills to be executed. One also has to keep in mind that even though such low-grade attacks may not pose a strategic-level threat they may actually be very useful as components of a longer-term campaign.