Likely state-based hackers infected Hong Kong websites to spy on Apple users, Google says

Suspected foreign government-backed hackers infected websites belonging to a Hong Kong-based media outlet and a pro-democracy group in a bid to install malware on visitors’ Apple devices, Google researchers say.

Google’s Threat Analysis Group discovered the watering hole attack in August, which relied on a previously unreported backdoor, or zero-day flaw.

“Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code,” Google’s Eyre Hernandez wrote in a blog post on Thursday. While Google didn’t attribute the attackers to a specific nation, China has long been suspected of conducting cyber-espionage and sowing disinformation aimed at democracy advocates in Hong Kong.

The hackers relied on a previously known vulnerability in macOS Catalina to set up the backdoor, Google said. Apple patched the zero-day flaw on Sept. 23.

The backdoor enabled the attackers to carry out audio recording, execute terminal commands, file downloads and uploads, keylogging, screen capture and victim device fingerprinting.

Pangu Labs presented a version of the exploit targeting the Big Sur operating system at a security conference in China in April.

Patrick Wardle, a security researcher who focuses on Apple, found Google’s discovery notable.

“It’s not everyday we come across a brand new fully-featured macOS implant to analyze,” he wrote in a separate analysis on Thursday.