Hackers with suspected ties to the Chinese government kept up their operations in the weeks after they were caught targeting the Vatican, according to Recorded Future findings published Tuesday.
Recorded Future researchers first called out the hacking group’s focus on the Vatican and Hong Kong’s Catholic Diocese in July, after which the hackers appeared to briefly pause their activity, in a likely effort to evade detection. But within two weeks, the hackers, known as RedDelta, had resumed their activities, aiming to infiltrate mail servers of the Vatican and the Hong Kong Catholic Diocese, researchers said.
“This is indicative of RedDelta’s persistence in maintaining access to these environments for gathering intelligence, in addition to the group’s aforementioned high risk tolerance,” the researchers write in a blog post on the matter.
China has long had an interest in collecting intelligence on religious groups in the region, and in particular on Catholics, ever since the Vatican severed diplomatic relations with China in 1951. But in recent months Beijing seems to have reinvigorated collection requirements against Christians in Hong Kong in an effort to gather more intelligence on pro-democracy protests in Hong Kong.
The operation is thought to have been aimed at collecting intelligence in advance of the Vatican’s efforts to negotiate a deal with China on the operations of the Catholic Church in China. Those discussions took place earlier this month. Beijing announced last week that both sides have reached a deal, which security researchers now say means that hackers’ “tasking requirement may have been achieved or no longer required.”
The malicious activity stopped earlier this month, according to Recorded Future.
The hackers had continued to use a PlugX variant called “RedDelta PlugX,” a remote access trojan, and malicious .zip files to try compromising targets, the researchers said. The hackers’ spearphishing emails used lures related to Catholicism in China, Tibet-Ladakh relations, and the United Nations General Assembly Security Council to try breaching targets.
Attackers are suspected to be linked with Mustang Panda actors, a group of Chinese-based hackers known to use PlugX and target non-governmental organizations, according to CrowdStrike, another security firm. They have a demonstrated interest in gathering intelligence on entities in Mongolia.
In recent days the suspected Chinese government-linked hackers have set their sights on other targets that may be related to Beijing’s strategic interests in the region, and have begun targeting entities in Hong Kong, according to Recorded Future, which does not identify the victims.
The hackers have also begun targeting law enforcement and government entities in India, amid a longstanding border clash between China and India. RedDelta has also been targeting unidentified targets in Myanmar, which shares a border with China and which has recently seen an uptick in coronavirus cases.