Hackers Targeted Hong Kong Apple Devices in Widespread Attack

Since at least late August, sophisticated hackers used flaws in macOS and iOS to install malware on Apple devices that visited Hong Kong–based media and pro-democracy websites. The so-called watering hole attacks cast a wide net, indiscriminately placing a backdoor on any iPhone or Mac unfortunate enough to visit one of the affected pages.

Apple has patched the various bugs that allowed the campaign to unfold. But a report Thursday from Google’s Threat Analysis Group shows how aggressive the hackers were and how broadly their reach extended. It’s yet another case of previously undisclosed vulnerabilities, or zero-days, being exploited in the wild by attackers. Rather than a targeted attack that focuses on high-value targets like journalists and dissidents, though, the suspected state-backed group went for scale.

The recent attacks specifically focused on compromising Hong Kong websites “for a media outlet and a prominent pro-democracy labor and political group,” according to the TAG report. It’s unclear how hackers compromised those sites to begin with. But once installed on victim devices, the malware they distributed ran in the background and could download files or exfiltrate data, conduct screen capturing and keylogging, initiate audio recording, and execute other commands. It also made a “fingerprint” of each victims’ device for identification.

The iOS and macOS attacks had different approaches, but both chained multiple vulnerabilities together so attackers could take control of victim devices to install their malware. TAG was not able to analyze the full iOS exploit chain, but identified the key Safari vulnerability that hackers used to launch the attack. The macOS version involved exploitation of a WebKit vulnerability and a kernel bug. All were patched by Apple throughout 2021, and the macOS exploit used in the attack was previously presented in April and July conference talks by Pangu Lab.

The researchers emphasize that the malware delivered to targets through the watering hole attack was carefully crafted and “seems to be a product of extensive software engineering.” It had a modular design, perhaps so different components could deploy at different times in a multistage attack.