Google’s Threat Analysis Group (TAG), a research team focusing on hackers, yesterday revealed that in August of this year an attack was made on Hong Kong web users based on a macOS Catalina zero-day vulnerability.

TAG described it as a “watering-hole attack”, an approach where malware is planted on a legitimate website. In this case hackers focused on websites for a media outlet and “a prominent pro-democracy labour and political group”; visitors to these websites were served an XNU privilege escalation vulnerability that was unpatched in macOS Catalina at the time, and which in turn installed a backdoor on visitors’ computers.

Catalina was the current version of macOS when the attack took place (it has since been superseded by Monterey), and was evidently the focus of the hackers. TAG repeated the experiment using Mojave, but observed only “remnants of an exploit”. Similarly, researchers discovered that protections in Big Sur nullified the attack.

The choice of a pro-democracy website naturally suggests a political element to the attack. Sure enough, TAG said it believes the threat actor to be “a well-resourced group, likely state backed”.

TAG head Shane Huntley told Motherboard that the researchers “do not have enough technical evidence to provide attribution and we do not speculate about attribution. However, the nature of the activity and targeting is consistent with a government-backed actor.”

Discussing who was behind the attacks, the Apple-specialising researcher Patrick Wardle told Motherboard that there were two plausible possibilities: China, or somebody wanting to look like China. “Though both of course are possible,” he said, “the former is far more likely.”

Motherboard concludes its report by observing that stories like this are not necessarily a sign that macOS security is weaker or more vulnerable than in the past; indeed, the site points out, Apple and other tech companies are patching bugs quicker than ever.

Wardle concedes that zero-day attacks might genuinely be becoming more prolific, but says it’s equally possible that we’re just getting better at detecting them.

TAG reported the zero-day flaw to Apple and it has since been patched. But for added peace of mind, read our Mac security tips.