An anonymous Pastebin posting from June 21 states that hackers from the LulzSec collective successfully breached Apple's iCloud networks several weeks ago.
The posting claims that the intruders mapped the network and "grabbed all their source code and database passwords".
The header on the posting identifies the AnonOps IRC channel "LulzSec" and displays a dead link to a Facebook page with the name "Ryan Cleary".
Ryan Cleary is the name of the 19 year old U.K. resident who was arrested and charged earlier this week with attacks on UK-based websites including the Serious Organised Crime Agency, and is suspected of participating in multiple Anonymous and LulzSec operations.
Cleary is also thought to be the Anonymous member who staged a mini-coup in May by stealing passwords and hijacking several AnonOps servers.
Cleary was subsequently "doxed" by other Anonymous participants, having details of his identity and activities posted online. Many believe his arrest was a direct result of his exposure by other Anonymous supporters.
The pastebin posting contains the following message:
IRC: irc.anonops.ru 18.104.22.168 (channel #LulzSec | port 6697 for SSL)
BitCoin donations: 176LRX4WRWD5LWDMbhr94ptb2MW9varCZP
This is a story all about how we made Apple and everything they own, our frak for life.
Hello, good day, and how are you? Splendid! We're LulzSec, a small team of lulzy individuals who feel the drabness of the cyber community is a burden on what matters: fun. Considering fun is now restricted to Friday, where we look forward to the weekend, weekend, we have now taken it upon ourselves to spread fun, fun, fun, throughout the entire calender year.
As you should know, The Lulz Boat stores vast amounts of booty; much of this booty we don't release as it's simply too shiny and/or delicious. As of late, certain inferior sailing boats have discovered flaws in the iCloud (the iCloudthegame.com), thinking themselves exciting and new.
Too late. The Lulz Boat controls this ocean, chumps.
Some weeks ago, we smashed into the iCloud with our heavy artillery Lulz Cannons and decided to switch to ninja mode. From our LFI entry point, we acquired command execution via local file inclusion of enemy fleet Apache vessel. We then found that the HTTPD had SSH auth keys, which let our ship SSH into other servers. See where this is going?
We then switched to root ammunition rounds. And we rooted... and rooted... and rooted...
After mapping their internal network and thoroughly pillaging all of their servers, we grabbed all their source code and database passwords, which we proceeded to shift silently back to our storage deck.
"It seems the glorious leader of LulzSec got arrested. Whois driving the boat?"
All should be taken with a grain of salt until more conclusive evidence is produced. An anonymous posting on Pastebin is far from proof of a successful exploit.
Furthermore, recent reports of a hack and breach of the U.K.'s census data by LulzSec appear to be false, so there may be an active disinformation campaign at work.
That aside, a successful breach of Apple's networks and the pilfering of the company's source code would be a significant event. Infosec Island has contacted Apple and are awaiting an official reply.
LulzSec is reported to have conducted a successful attacks against the Central Intelligence Agency, the U.S. Senate website, PBS, as well as networks belonging to the Atlanta chapter of FBI affiliate InfraGard. LulzSec also claims to have also hacked Sony Pictures, Sony Entertainment and Sony BMG, among others.
LulzSec is currently engaged in a very public conflict with anti-jihadi hacker The Jester (th3j35t3r) and anti-lulz hackers known as Team Poison (TeaMp0isoN) and Web Ninjas, respectively.
The Jester and Web Ninjas have already produced some documents that attempt to identify some key LulzSec players, and Team Poison has stated they have turned over details of the LulzSec's organization and leadership to law enforcement, and are expected to publish some of the information soon.