Chinese Hackers “RedDelta” Are Targeting the Vatican and Its Organizations

• Chinese hackers are sending phishing emails to high-ranking Vatican officials to plant RATs.
• The goal is to gather key intelligence for the upcoming renewal of the China-Vatican provisional agreement.
• The Catholic Church in China is under persecution and is slowly but steadily pushed out of existence.

A state-sponsored group of Chinese hackers named “RedDelta” are going after the Vatican and Catholic organizations in Hong Kong and mainland China, in a weird case of cyber-espionage. These activities have been recorded by the Insikt Group, who has compiled a detailed report on the RedDelta campaign.

Reportedly, the Vatican has been a target for the Chinese hackers since early May 2020, suffering network intrusions that went mostly undetected. The researchers believe that the hackers’ motive is to gain insight on the Catholic community in Hong Kong and the negotiating position of the Vatican concerning the renewal of the 2018 China-Vatican provisional agreement.

“RedDelta” features some overlapping elements with “Mustang Panda,” another state-supported group of hackers who engage in cyber-espionage operations. Still, the former maintain their own distinct set of DLL side-loaders and encrypted communication systems, so they deserve an individual attribution.

Insikt has identified the deployment of tools like “Poison Ivy” and “Cobalt Strike,” and they have recorded a large number of PlugX C2 servers communicating with Vatican hosts between May 2020 and July 2020. The lure used for the deliverance of the PlugX payload is a letter arriving via a phishing email.

Using the same PlugX variants and the same C2 infrastructure, RedDelta tried their luck with various phishing lures. In one case, they spoofed a news bulletin from the Union of Catholic Asian News regarding the new national security law that passed in Hong Kong.

Related: Hong Kong’s New National Security Law Explained – The Internet Is Changing Drastically in Hong Kong

In another example, the decoy document concerned matters of Islam linked with the Vatican, with the content being a direct copy of the writings of Franco Ometto. In some cases, the phishing emails were sent through already compromised accounts belonging to Vatican officials, substantially increasing success chances.

It has been long established that the Chinese government has a strategic interest in limiting religious freedom in the country. In the case of the Vatican and the Catholic diocese of Hong Kong, this strategic interest becomes even more exigent, as these entities stand for democracy and have expressed anti-Beijing positions in the recent past.

The renewal of the China-Vatican agreement will come this September, so the Chinese are looking to take full control of the Catholic Church, including in Hong Kong. As the Cardinal Joseph Zen stated during a recent interview, the Catholics in China are under persecution, underage individuals are not allowed into churches, no new priests are being ordained, and the Church is essentially bound to disappear soon.