Apple drops term 'state-sponsored' attacks from threat notification policy

Replaces it with 'mercenary spyware' warning in India, 91 other countries

Apple Inc has sent a new notification to warn consumers about malicious activity on their devices but there has been a significant shift in language in that attacks are attributed to  ‘mercenary spyware’ rather than ‘state-sponsored’ attackers.

The change in language applies to India and 91 other countries. The notification also made it clear that ‘Apple does not attribute the attacks or the notice you are receiving to any specific attackers or geographical regions’.

It states that the worldwide nature of mercenary spyware attacks makes them among the ‘most advanced digital threats in existence today’.  

This heralds a significant change in the company’s position. Last October, Apple sent warnings to several Apple device  users in India, including opposition politicians and journalists, warning that their phones had been  targeted by ‘state sponsored attackers’.

This triggered a firestorm with opposition leaders attacking the government for hacking their phones. The government asked Apple to join the probe on the alleged hacking with the Computer Emergency Response Team (CERT-in).  

While this was the second time that such attacks have come  to public attention in India, Apple has said  that it sends out such threat notifications multiple times a year.  Since 2021, as many as 150 countries have received these warning notifications.

It is clear that Apple’s assessment that such sophisticated and high cost cyberattacks can only have come from governments was challenged by multiple governments globally.

Since Apple says it cannot identify the attackers or even the regions, it has now modified its language to make sure that, while consumers are notified and can take action, the scope for conflict between activists, journalists and politicians with their respective governments has been reduced.

Apple is not alone in sending such threat notifications. Many top tech companies such as Meta, Google and Microsoft also do so many times a year. They have also used similar language, i.e. state-sponsored actors, government-backed attackers, and nation state attacks to describe cyber-attacks on devices and platforms.

Cyber security experts say it seems tech companies are  increasingly coming to accept one fact: that while spyware is extremely expensive and can often be used by state actors, there are enough non-state actors who have sufficient financial resources to buy spyware from rogue organisations.

Minister for Communications Ashwini Vaishnaw told parliament a few months ago that any MP can submit their phone to CERT-in for investigation if they have received notifications or suspect their phone to be compromised.
 

In the last month, CERT-in has transmitted multiple notifications that Apple itself puts out regarding vulnerabilities to the Apple ecosystem. This again is a routine process followed by all tech firms and CERT ensures that Indian citizens are aware of the self-proclaimed vulnerabilities in the platforms and devices by tech companies.