The daring attack disturbs the biggest element surrounding a new Apple product: its mystery and intrigue
From the outside, it was a typically adrenaline-filled, glitzy affair: the launch of a new line of iPads and iMacs.
But behind the scenes, Apple and one of its electronics manufacturing partners, Quanta, were grappling with how to respond to a US$50 million ransom demand and the theft and public broadcast of unreleased Apple product blueprints.
The REvil ransomware gang, also known as Sodinokibi, is a highly successful ransomware-as-a-service outfit believed to be based in Russia.
It is not afraid of going after high-profile targets: the group has previously stolen and released or sold sensitive data on Lady Gaga and Donald Trump, as well as global enterprises like Acer, Travelex and Honda.
But this is arguably the gang’s most ambitious play yet.
Last week, as Apple was taking the wraps off its new product lines, REvil’s operators were posting to their ironically named Happy Blog dark web site a taunting promise to “provide data on the upcoming releases of the company so beloved by many”.
“Tim Cook can say thank you Quanta,” they wrote.
By the time Apple’s highly-anticipated product launch was over, REvil had posted the internal designs for what appears to be a new iMac.
They also claim to have stolen design documents for unreleased Apple laptops and watches.
The group says it infiltrated the corporate network of Taiwan-based Quanta, a key parts supplier to Apple as well as many other big-name technology companies.
The announcement of the stolen blueprints was so timed because of Quanta’s refusal to pay the requested US$50 million ransom to recover its data, the hackers said.
The refusal prompted them to go after Quanta’s biggest customer instead.
Apple has now been given until May 1 to hand over the cash. New stolen files will continue to be posted until the ransom is paid, the hackers said.
“The REvil ransomware gang doesn’t make false promises,” Ivan Pittaluga, CTO of enterprise security firm ArcServe, told ThreatPost.
“They’re notoriously known for leaking data if their demands aren’t met.”
It appears to be the first time a ransomware gang has shifted its demands to a victim’s customer after being denied by their initial target.
“This is a new approach in the double extortion name-and-shame technique, where the threat actor engages with the affected third parties after the unsuccessful attempt to negotiate ransom with the primary victim,” Dmitry Smilyanets, Recorded Future threat intel analyst, told The Record.
Experts believe this could signal a new, emboldened era for REvil and its affiliates, and suggest more victims of the size and stature of Apple are likely.
“We know that they are protected most likely by Russian intelligence or the Russian government, as are most ransomware groups, which has allowed them to flourish over the last 18 months,” Marc Bleicher of Arete Incident Response told CNBC.
“I think, you know, based on what we’ve seen so far, this may be just the tip of the iceberg.”
“To avoid a similar fate, companies should actively patch any vulnerabilities in their network, frequently back up data to a separate location offsite or in the cloud, and conduct threat analyses continuously,” ArcServe’s Pittaluga advised.