© The Financial Times Ltd 2015 FT and 'Financial Times' are trademarks of The Financial Times Ltd.
Last updated: February 19, 2013 9:14 pm
Apple said its internal Mac systems were hacked by the same attackers that targeted Facebook and Twitter last month, in a rare admission of vulnerability from a highly secretive company whose products have long been seen as more resistant to intrusion.
The iPhone maker said it was working with law enforcement to find the source of the breach. It said there was “no evidence” the attackers were able to obtain Apple’s private data and that only a “small number” of its systems were infected.
However, security analysts are warning that many other companies may have been affected by the vulnerability, which could affect Macs or PCs.
The disclosure comes amid heightened tension over cyber security, with a report on Tuesday by security company Mandiant linking the Chinese military to a huge cyber espionage campaign against US companies.
Apple’s systems were compromised through a flaw in Oracle’s Java software for web browsers, about which the US Department of Homeland Security warned last month. On Friday, Facebook said it had been targeted by hackers who also used the Java exploit.
Apple said it would issue an antivirus tool to customers to enable them to remove any malware that might have infected their Macs. Some security researchers have speculated that the Facebook employees whose laptops were compromised last month were likely to be using Macs.
“Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers,” Apple said in a statement.
“The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple. We are working closely with law enforcement to find the source of the malware.”
The last time Apple released an antivirus tool was April when the “Flashback” trojan infected hundreds of thousands of Macs. Apple’s relatively small market share in the PC market, and its tighter control over its software platform, has traditionally made the Mac operating system a less prominent target for hackers than Windows computers.
However, the growing popularity of Apple computers, particularly among software engineers and at other technology and media companies, has raised their profile among cyber criminals.
Security researchers have said the form of this latest attack was most likely one known as a “watering hole”, in which a popular website is “poisoned” and particular targets are then lured to it. The nature of the Java vulnerability means just visiting the site, even with an up-to-date machine, would lead to infection, undetectable to antivirus software.
“We’ll all be very lucky if this watering hole was only really trying to target big players such as Twitter and Facebook,” wrote Sean Sullivan, security adviser at F-Secure, a software company, in a blog post on Monday.
News of Apple’s breach was first reported by Reuters.
Security researchers have long urged companies to be more transparent about hacking attacks and to share more information to help the wider community better understand the latest threats.
However, security breaches also come with their own reputational risk.
The hijacking of Burger King’s Twitter account on Monday was followed by another takeover on Tuesday, apparently by the same hacker, of Jeep’s profile on the messaging site.
Some commentators have warned that brands may become wary of using Twitter or other social media sites if they appear to be too vulnerable to cyber attacks.
However, MTV on Tuesday staged a fake “hack” on its Twitter account, demonstrating that the accompanying publicity can actually be beneficial, if no customers or data are harmed. Burger King’s Twitter account attracted thousands of new followers while it was hijacked on Monday.
Copyright The Financial Times Limited 2015. You may share using our article tools.
Please don't cut articles from FT.com and redistribute by email or post to the web.
Sign up for email briefings to stay up to date on topics you are interested in