The China-linked threat group Red Delta has continued to launch cyber-attacks against Catholic institutions since May 2020, until as recently as last week.
A state-sponsored threat group linked to China has been engaged in a 5-month long cyber-attack against the Vatican, & other Catholic Church-related organisations. Attacks have come in the form of spear phishing emails combined with the PlugX remote access tool (RAT) as the payload.
Researchers with Recorded Future observed the group, Red Delta, targeting the mail servers of Catholic organisations since early May 2020. That is ahead of the anticipated Sept. 2020 renewal of the landmark 2018 China-Vatican Provisional Agreement, called the China-Holy See deal.
The network intrusions occurred up until a week before China’s Foreign Ministry announced that the deal had been “implemented successfully” last week, on Sept. 10, saying a renewal of the deal is expected to be announced in the coming weeks, at which point the threat activity observed died off, researchers explained.
Researchers believe that this targeting of the Vatican & other entities related to the Catholic Church would likely offer Red Delta insight into the negotiating position of the Holy See ahead of the deal’s Sept. 2020 renewal.
“Red Delta has largely remained unperturbed by the extensive public reporting on its targeting of the Vatican and other Catholic organisations,” according to researchers with Recorded Future’s Insikt Group in a report released Tuesday. “Despite taking basic operational security measures through changing the resolution status of command and control (C2) domains in the immediate aftermath of this reporting, the group’s tactics, techniques, & procedures (TTPs) remained consistent.”
Red Delta has also expanded its victimology of its campaigns, as seen in new spear phishing attacks using decoy documents themed around Catholicism, Tibet-Ladakh relations, & the United Nations General Assembly Security Council against other Catholic institutions; as well as additional network intrusion activity targeting Myanmar govt. systems & 2 Hong Kong universities.
Cyber-attacks Against the Vatican
Starting in early May 2020, researchers observed Red Delta attempting various network intrusions that targeted the Vatican, as well as other entities like the Hong Kong Study Mission to China & The Pontifical Institute for Foreign Missions (PIME), Italy.
Researchers in a July report shed light on the threat group’s successful attack on the Vatican that distributed the PlugX RAT. PlugX has been previously used in attacks aimed at government institutions & allows remote users to perform data theft or take control of the affected systems without permission or authorization. It can copy, move, rename, execute & delete files; log keystrokes; fingerprint the infected system; & more.
Researchers believe the cyber-attack was initially launched via spear phishing emails with a lure document. From May to at least July, they utilised RAT controller & network traffic analysis techniques to identify multiple PlugX C2 servers communicating with Vatican hosts. Researchers also identified ‘Poison Ivy’ & ‘Cobalt Strike Beacon C2’ infrastructure communicating with Vatican hosts at this time.
After Recoded Future publicised their details of this campaign in the July report, they noted that the Red Delta Group took a number of evasive steps related to the infrastructure to avoid detection – notably changing IP resolutions across several of their C2 domains.
“In analysing communications between targeted organisations & Red Delta C2 infrastructure using Recorded Future Network Traffic Analysis, we identified that the network communications between Catholic Church organisations ceased in the immediate aftermath of the report publication,” they observed.
“However, this was short-lived, & within 10 days, the group returned to its targeting of the Hong Kong Catholic Diocese mail server, & within 14 days, a Vatican mail server. This is indicative of Red Delta’s persistence in maintaining access to these environments for gathering intelligence, in addition to the group’s mentioned high-risk tolerance.”
It is unclear since as to whether the group was able to successfully regain access to the Vatican network. However, the attempts to do so, as well as the emergence of a new Red Delta Catholic church-themed lure, highlights a focus of the China Communist Party (CCP) seeking increased oversight of the Catholic community within China, they commented.
Researchers commented that Red Delta has also been targeting Catholic bodies, as well as new network intrusions impacting law enforcement & govt. entities in India, a govt. organisation in Indonesia, & other unidentified targets across Myanmar, Hong Kong, & Australia.
The expanded breadth of victims has been seen in the threat group changing up its lures used in campaigns.
Previously, the threat group had centralised on Catholic-focused lure documents, including 1 purporting to be an official Vatican letter addressed to the current head of the Hong Kong Study Mission to China, & 1 spoofing a news bulletin from the ‘Union of Catholic Asian News’ regarding the impending introduction of the new Hong Kong National Security Law.
Of late, the group has been seen using extra lures referencing Catholics within China, Tibet-Ladakh relations, & the UN General Assembly Security Council to attempt to load PlugX on target machines.
One sample lure discovered, a decoy document called “History of Tibet-Ladakh Relations & Their Modern Implications”, uses a legitimate Microsoft Word executable to side-load a 1st-stage DLL loader, with 2 files initially stored inside a zip file. Following the first DLL side-loading phase, an encrypted PlugX DAT payload is then dropped.
Red Delta’s TTPs “continue to operate in line with Chinese strategic priorities,” researchers outlined.
The group’s continued targeting of the Vatican, its use of targeted decoy documents centred on geopolitical current issues relevant to the People’s Republic of China (PRC) & its cyber-espionage end goals are reflective of China-linked threat groups, researchers suggested.
“The group’s reuse of publicly reported infrastructure & TTPs is likely indicative of a group experiencing operational success & highlights a pragmatic approach to operational security, with Red Delta willing to continue to use publicly known infrastructure as long as access is maintained,” reflected researchers.