A threat intelligence firm, Recorded Future, says Chinese hackers infiltrated Vatican’s computer networks ahead of the high-profile talks between the Catholic Church and the Chinese government on the operations of the Church in China. The cybersecurity firm detected this activity at the beginning of May this year. The hackers targeted the Holy See’s Study Mission to China, the organization that represents the Vatican from Hong Kong.
Chinese espionage activities targeting religious groups
The Chinese government has frequently carried out cyber espionage activities against various religious groups in the country. Beijing uses Chinese hackers to spy on religious minorities such as Buddhist Tibetans, Muslim Uighurs, Falun Gongs, and Christians.
During the State Department’s report on religious freedom, Secretary of State Mike Pompeo said the Chinese repression against religious minorities continues to run unchecked. The Pope also commented on Hong Kong protests on July 5 at St. Peter’s Square. He advocated for non-violence and the respect for human rights for all, especially religious freedoms.
James McQuiggan, a Security Awareness Advocate at KnowBe4, says ordinary cybercriminals execute attacks for monetary gains or intellectual property theft but nation-state actors carry cyber intrusions for surveillance operations.
“The saying knowledge is power is prevalent here, as nation-states infiltrate organizations via phishing or other vulnerabilities into their network. Once inside, they’re performing reconnaissance to find out if the information is worthwhile to their cause.
The Chinese government and the Vatican were planning on discussing the renewal of the 2018 provisional agreement. The deal allowed the Catholic Church to operate in the communist nations under special arrangements.
The 12 million-strong congregation in China is divided between those pro-Beijing Chinese Catholic Patriotic Association (CCPA) and the underground movement loyal to the Pope. The CCPA has bishops appointed to the Chinese Catholic Church by the Communist regime in Beijing. The pro-Vatican group faces frequent persecution by the government of China. Members also oppose the Beijing-Rome deal terming it as a betrayal of the Church.
The nature and the timing of the attacks imply that Beijing was behind the attacks on the Vatican.
The indicators of compromise by the Chinese hackers
Cybersecurity experts say several PlugX C2 servers were targeted by the Chinese hackers from mid-May to July 21 this year. One attack used a customized PlugX payload disguised as a letter from the Vatican to the Church’s representatives in Hong Kong headed by Msgr. Javier Corona Herrera.
The attack involved spear-phishing tactics using a letter of condolence from the Vatican’s Secretary of State, Cardinal Pietro Parolin. The document appeared to have been written by Archbishop Edgar Peña Parra and was addressed to the head of the Church in Hong Kong. Cardinal Parolin is a negotiator in the upcoming talks and is a strong supporter of the deal. Vatican wants to extend the provision of the deal, but Beijing is unlikely to allow an external authority have more control on domestic activities.
Experts believe the Chinese hackers could have obtained an official letter before lacing it with the malware payload. Recorded Future says the Vatican was informed of the intrusion by Chinese hackers since May.
The Chinese government allegedly used a cybercriminal group called RedDelta, according to the Insikt Group that monitors Chinese threat actors. The hackers’ group’s activities and tactics are very similar to those of other Chinese hackers operating with the blessings of Beijing.
The suspected intrusion into the Vatican would offer RedDelta insight into the negotiating position of the Holy See ahead of the September 2020 renewal talks. The Chinese hackers also intended to uncover the Hong Kong mission’s relations with the Vatican and the Church’s position on the pro-democracy movement in the country.