Chinese State-Backed Hackers Target the Vatican, Again

Hackers sometimes come back for seconds — even if they’re caught.

Just days after being exposed for targeting the Vatican and the Catholic Diocese of Hong Kong with malware, the suspected Chinese-state sponsored threat group known as RedDelta resumed cyberoperations against Catholic Church-related organizations, according to a report released today by Recorded Future. Although the group took some evasive steps in the immediate aftermath of being publicly outed, it reused infrastructure in attempts to gain access to mail servers belonging to the Diocese and Vatican, though it’s unclear if those attempts were successful.

The evasive steps included changing IP resolutions across several command and control domains, and switching the hosting IP for a command and control domain that was designed to give the group backdoor access to infected devices. However, other malicious servers that were publicly exposed in a previous Recorded Future report remained live. 

“They’ve made some changes in infrastructure, but we’ve still seen a pretty consistent TTP [tactics, techniques, and procedures] from the group,” according to a threat intelligence analyst who worked on the report who asked to remain anonymous given the sensitivity of the research. “There seems to be a pragmatism there — they seem to have a high risk tolerance for their campaigns being discovered as long as they maintain access.”

The fact that RedDelta returned to targeting the same organizations within a matter of days shows a brazenness that’s typically associated with nation state or state-sponsored Advanced Persistent Threats. However, many APTs wouldn’t take the step of reusing exposed infrastructure.

“You see a contrast there with other groups, even in China. Other actors will be publicly outed and burn down their infrastructure,” said the analyst. “It really contrasts with what you see here — it’s a different style.”

The initial report published by Recorded Future in late July detailed efforts RedDelta took to penetrate the study mission in Hong Kong and other Catholic organizations. In one attack, malware was hidden inside a document that appeared to come from the Vatican to Msgr. Javier Corona Herrera, the chaplain who heads the study mission. The malware, PlugX, gave the attackers access to parts of the organization’s computer network.

The findings came just weeks before the Vatican and Beijing started talks over the appointment of bishops and other matters as part of a renewal of a 2018 provisional agreement.

Last week, a spokesman for China’s foreign ministry said the interim agreement between the Vatican and China had been “implemented successfully.” Recorded Future said it shared its findings with the Vatican and Catholic Diocese of Hong Kong.

It’s not surprising that Beijing would be interested in monitoring the Catholic Church’s private communications. The two severed diplomatic ties in 1951, and in recent years the Chinese Communist Party has made it a priority to “sinicize” religions in the country. Chinese authorities have used an arsenal of surveillance tools to gather information on a variety of religious organizations, including Buddhist Tibetans and Muslin Uighurs.

In the report released today, Recorded Future said it has found new activity attributed to RedDelta involving decoy documents themed around Catholicism, Tibet-Ladakh relations, the United Nations, and additional network intrusion activity targeting Myanmar government systems. Once the documents are downloaded, an encrypted PlugX malware payload is delivered to the victim.

Those attacks mirror the ones previously identified by Recorded Future in the type of malware used and the style of spear phishing. Other religious and political organizations that find themselves within one of Beijing’s strategic priorities should be on alert for similar attacks, and should not expect RedDelta to slow its efforts anytime soon, according to the threat intel analyst.

“We in the cybersecurity industry have the APT — or Advanced Persistent Threat — acronym. This is the “Persistence” we’re seeing,” the analyst said.