It's not really a MITM attack, it's spoofing credentials. It's copying the credential token from machine X, installing it on machine Y, then telling machine Y to connect to iCloud pretending to be machine X, and then downloading all the ancient backups in hopes they contained undeleted and unprotected juicy information.
In the past people have used "sort-of" MITM attacks* for jailbreaking, specifically to keep your iPhone from "upgrading" itself to the new version of iOS. The jailbreakers had figured out that they could restore from an old version of iOS and jailbreak it, so Apple wanted to stop that. They introduced SHSH blobs that contained your phone's signed version info, and when you wanted to install an old version of iOS from a backup, they would check to make sure you hadn't upgraded to a newer version. So the jailbreakers came up with a program called TinyUmbrella that you would load up with your iPhone's old SHSH blobs, and it would pretend to be the official Apple blob server. You'd modify your hosts file to redirect the Apple server at your local host, run TinyUmbrella, then launch iTunes. When iTunes wanted to restore the user-specified version of iOS, it would request the latest blobs, but TinyUmbrella would deliver them, tricking the phone into staying at its older version of iOS. In more recent versions of iOS Apple required the server to securely exchange the messages so iTunes could no longer be fooled, but this worked through about iOS version 6 or so.
Of course, this is not a MITM attack against iCloud, but rather against their update process. Still, it was a pretty clever hack.
* I say "sort-of" because TinyUmbrella did not intercept the blob exchange itself; it only stood in as a phony Apple server for a SHSH blob you had to extract on your own, using another tool.