In late August 2021, Google’s Threat Analysis Group (TAG) caught a group of hackers who were using a 0-day macOS exploit to carry out watering hole attacks on visitors to Hong Kong’s pro-democracy websites for a media outlet and political group. Without giving a specific name, the TAG team said that the attackers were well-resources “likely state-backed” because the quality of the payload suggests, the group had a software engineering team of its own.
Fortunately for users, TAG reported the zero-day macOS exploit to Apple and the company released a patch in September. The question arises that who could be behind such sophisticated attacks.
Hackers “likely state-backed” hid malware within websites of a media outlet and prominent pro-democracy labor and political group in Hong Kong
As explained by Google’s TAG team, attackers executed a watering hole attack that means they hid malware in legitimate websites of a pro-democracy political group and a media house. Visitors to compromised websites were hacked via a zero-day macOS exploit which took advantage of a previously unpatched vulnerability in macOS Catalina. A zero-day exploit does not require any action from the unsuspecting user to initiate the attack.
This discovery is critical in the context of the pro-democracy political movement in Hong Kong. In 2019, protests, or the Anti-Extradition Law Amendment Bill Movement, erupted in the country after the government introduced a fugitive Offenders extradition bill that included mainland China. The protests continued till 2020 and the most important demand of the protesters was universal suffrage. This Hong Kong- China conflict could have encouraged China to back the hackers to monitor the pro-democracy movement in Hong Kong.
A researcher who specializes in Apple products, Patrick Wardle reviewed Googles’s research and told Motherboard that in this case the macOS exploit was created by combining a previously known vulnerability, N-day, with an unknown one they got from a security conference in China.
“Leveraging both N-days and what appeared to be a publicly presented zero-day highlights how attackers may not have to utilize their own zero-days to successfully infect remote targets.” Wardle found that the software contained code strings in Chinese, such as 安装成功 (Successful installation), and that the command and control server it connected to was located in Hong Kong.
“Based on variety of factors such as the targeting approach and victims (‘visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group’), exploitation methodologies, C&C server metadata, as well as indicators extracted from the implant (such as Chinese strings) there are only plausible answers to who is behind this: China, or somebody wanting to look very much like the Chinese,” Wardle said. “Though both of course are possible, the former is far more likely.”
The Human Rights Watch accuses China of the genocide of Uyghur Muslims, forced labor, and many repressive actions. But Apple continues to strengthen its ties with the country. So much so, that the company’s Progress Report 2021 found no evidence of forced labor in its supply chain, and Apple is often found complying with governments’ demands to remove religious and political apps.