A state-sponsored threat group linked to China has been engaged in a five-month long cyberattack against the Vatican and other Catholic Church-related organizations. Attacks have come in the form of spear phishing emails laced with the PlugX remote access tool (RAT) as the payload.
Researchers with Recorded Future observed the group, RedDelta, targeting the mail servers of Catholic organizations since early May 2020. That is ahead of the anticipated September 2020 renewal of the landmark 2018 China-Vatican provisional agreement, called the China-Holy See deal. The network intrusions occurred up until a week before China’s Foreign Ministry announced that the deal had been “implemented successfully” last week, on Sept. 10, saying a renewal of the deal is expected to be announced in the coming weeks – at which point the threat activity observed died off, researchers said.
Researchers believe that this targeting of the Vatican and other entities related to the Catholic church would likely offer RedDelta insight into the negotiating position of the Holy See ahead of the deal’s September 2020 renewal.
“RedDelta has largely remained unperturbed by the extensive public reporting on its targeting of the Vatican and other Catholic organizations,” according to researchers with Recorded Future’s Insikt Group in a report released Tuesday. “Despite taking basic operational security measures through changing the resolution status of command and control (C2) domains in the immediate aftermath of this reporting, the group’s tactics, techniques, and procedures (TTPs) remained consistent.”
RedDelta has also expanded its victimology of its campaigns, as seen in new spear phishing attacks using decoy documents themed around Catholicism, Tibet-Ladakh relations, and the United Nations General Assembly Security Council against other Catholic institutions; as well as additional network intrusion activity targeting Myanmar government systems and two Hong Kong universities.
Cyberattacks Against the Vatican
Starting in early May 2020, researchers observed RedDelta attempting various network intrusions that targeted the Vatican, as well as other entities like the Hong Kong Study Mission to China and The Pontifical Institute for Foreign Missions (PIME), Italy.
Previously, researchers in a July report shed light on the threat group’s successful attack on the Vatican that distributed the PlugX RAT. PlugX has been previously used in attacks aimed at government institutions and allows remote users to perform data theft or take control of the affected systems without permission or authorization. It can copy, move, rename, execute and delete files; log keystrokes; fingerprint the infected system; and more.
Researchers believe the cyberattack was initially launched via spear phishing emails with a lure document. From May to at least July, they utilized RAT controller and network traffic analysis techniques to identify multiple PlugX C2 servers communicating with Vatican hosts. Researchers also identified Poison Ivy and Cobalt Strike Beacon C2 infrastructure communicating with Vatican hosts during this time.
After Recoded Future publicized their details of this campaign in the July report, they noted that the RedDelta group took a number of evasive steps related to the infrastructure to avoid detection – most notably changing IP resolutions across several of their C2 domains.
“In analyzing communications between targeted organizations and RedDelta C2 infrastructure using Recorded Future Network Traffic Analysis, we identified that the network communications between Catholic church organizations ceased in the immediate aftermath of the report publication,” they said. “However, this was short-lived, and within 10 days, the group returned to its targeting of the Hong Kong Catholic Diocese mail server, and within 14 days, a Vatican mail server. This is indicative of RedDelta’s persistence in maintaining access to these environments for gathering intelligence, in addition to the group’s aforementioned high risk tolerance.”
Since then, it is unclear whether the group was able to successfully regain access to the Vatican network – however, the attempts to do so, as well as the emergence of a new RedDelta Catholic church-themed lure, highlights an overarching focus of the China Communist Party (CCP) seeking increased oversight of the Catholic community within China they said.
Researchers said that RedDelta has also been targeting Catholic entities, as well as new network intrusions impacting law enforcement and government entities in India, a government organization in Indonesia, and other unidentified targets across Myanmar, Hong Kong, and Australia.
The expanded breadth of victims has been seen in the threat group switching up its lures used in campaigns. Previously, the threat group had centralized on Catholic-focused lure documents, including one purporting to be an official Vatican letter addressed to the current head of the Hong Kong Study Mission to China and one spoofing a news bulletin from the Union of Catholic Asian News regarding the impending introduction of the new Hong Kong national security law.
More recently, the group has been spotted using additional lures referencing Catholics within China, Tibet-Ladakh relations, and the United Nations General Assembly Security Council to attempt to load PlugX on target machines. For instance, one sample lure discovered, a decoy document called “History of Tibet-Ladakh Relations and Their Modern Implications”, uses a legitimate Microsoft Word executable to side-load a first-stage DLL loader, with two files initially stored inside a zip file. Following the first DLL side-loading phase, an encrypted PlugX DAT payload is then dropped.
RedDelta’s TTPs “continue to operate in line with Chinese strategic priorities,” researchers said. For instance, the group’s continued targeting of the Vatican, its use of targeted decoy documents centered on geopolitical current issues relevant to the People’s Republic of China (PRC) and its cyberespionage end goals are reflective of China-linked threat groups, researchers said.
“The group’s reuse of publicly reported infrastructure and TTPs is likely indicative of a group experiencing operational success and highlights a pragmatic approach to operational security, with RedDelta willing to continue to use publicly known infrastructure as long as access is maintained,” said researchers.