A U.S.-based cybersecurity company issued a report on Tuesday that identified a Chinese cyber campaign directed largely at the Vatican. Insikt, the research division of Recorded Future, identified the threat actor as RedDelta, a CCP-sponsored organization whose infrastructure and tooling resembles that of Mustang Panda. RedDelta also targeted dioceses in Hong Kong and Italy, as well as government arms of India and Indonesia.
On hearing of the report, CCP spokesperson Wang Wenbin denied Beijing's involvement: "China is a staunch defender of cybersecurity and always firmly opposes and combats cyber theft and hacking."
Insikt’s intelligence card for the RedDelta PlugX C2 server marks March 10 as the first reference date, and the report shows that malicious activity at India’s Sardar Vallabhbhai Patel National Police Academy began as early as February 16. Communication by RedDelta hacking infrastructure, including PlugX, Poison Ivy and Cobalt Strike Beacon, with Vatican hosts began in May and continued until at least July 21.
The spearphishing attempts transpired as unassuming messages with downloadable files appeared on host servers. When recipients opened the documents, the PlugX malware would infiltrate the target’s computer system and gain access to confidential information.
One example is a document dated May 14 that was delivered from the Vatican to the Hong Kong Study Mission to China. The document contained a condolence message regarding the passing of a Chinese Bishop. It is unclear whether the document was forged, or whether RedDelta obtained a legitimate communication and weaponized it.
An independent analyst had identified the attack against the Hong Kong church earlier this month but attributed them to Mustang Panda. Mandiant Threat Intelligence analysts could not confirm their connection to Mustang Panda but did connect them to China.
Insikt surmises that RedDelta targeted the Vatican and associated entities at least in part because of upcoming negotiations between the Vatican and Chinese authorities. In 2018, after decades of silence, Pope Francis and Chinese authorities struck a classified deal giving the Pope the ability to name bishops in the official Catholic Patriotic Association in exchange for Vatican endorsement of Beijing-sponsored clergy.
“We believe that this targeting is indicative of both China’s objective in consolidating increased control over the underground Catholic Church within China, and diminishing the perceived influence of the Vatican on Chinese Catholics,” states the report.
Vatican leaders have publicly called for renewing the deal, but critics argued that it jeopardizes the underground church in China and subjects religion to the Chinese Communist Party’s ‘sinicization’ agenda.
“They’re giving the flock into the mouths of the wolves,” said Hong Kong Cardinal Joseph Zen, one of the premier activists against Chinese influence in the Catholic church.
China has a well-documented history of persecuting religious groups that don’t conform to state ideology. Religious minority groups, including Uighur Muslims, Falun Gong, and Christians who refuse to join the state-approved religious entities, have suffered persecution, torture, and internment in ‘reeducation camps.’ U.S. officials indicted two Chinese individuals earlier this month on charges of targeting and arresting two underground church pastors.
In June, Guo Wengui, an exiled Chinese dissident, alleged on an interview on Breitbart’s The War Room that China invests up to $2 billion each year in the Vatican to buy control over its activity. Still another journalist has noted that Pope Francis skipped a section of his July 5 speech, distributed to the press beforehand, that addressed the worsening situation in Hong Kong.
RedDelta’s attacks took place as the U.S. is growing increasingly apprehensive of Chinese cyber interference in the U.S. Axios reported today that FBI Director Christopher Wray and William Evanina, the director of the National Counterintelligence and Security Center (NCSC), testified before Congress on earlier this week about the threat from Chinese hackers, saying it was possible malicious entities could manipulate U.S. policy toward China.
China “is expanding its influence efforts to shape the policy environment in the United States, pressure political figures it views as opposed to China’s interests, and counter-criticism of China,” Evanina said.
Insikt highlighted the threat such attacks may pose to NGOs, particularly religious organizations, and urged them to invest in strong cybersecurity infrastructure.