Cyber Incident Victim: Pontifical Institute for Foreign Missions
Date:
May 2020
Location:
Italy
Summary
The Pontifical Institute for Foreign Missions was targeted in a cyberespionage campaign by the Chinese state-sponsored group RedDelta, which employed spearphishing lures delivering customized PlugX malware alongside Poison Ivy and Cobalt Strike tools. The campaign focused on Catholic organizations, including the Vatican and Hong Kong Catholic entities, to gather intelligence ahead of diplomatic negotiations between China and the Holy See. Targeting aligned with Chinese strategic objectives to consolidate control over religious activities and diminish Vatican influence within China, particularly regarding oversight of underground Catholic communities and Hong Kong's pro-democracy movements. The intrusions leveraged compromised infrastructure and weaponized documents to facilitate unauthorized network access for espionage purposes.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early May 2020, the Chinese state-sponsored threat group RedDelta initiated a cyberespionage campaign targeting the Vatican, the Catholic Diocese of Hong Kong, the Hong Kong Study Mission to China, and the Pontifical Institute for Foreign Missions (PIME) in Italy. These intrusions occurred ahead of the anticipated September 2020 renewal of the provisional China-Vatican agreement, which had granted the Chinese Communist Party increased oversight over China’s underground Catholic community since 2018. RedDelta employed customized variants of PlugX malware, Poison Ivy, and Cobalt Strike Beacon tools to compromise networks. The group used Vatican-themed phishing lures, including a forged official letter addressed to the head of the Hong Kong Study Mission—the Pope’s de facto representative to China—which delivered PlugX payloads communicating with the command-and-control (C2) domain systeminfor[.]com. Evidence suggested the phishing lure may have been distributed through a compromised Vatican email account, as researchers observed PlugX C2 servers communicating with Vatican mail servers near the lure’s compilation date. Additional decoy documents spoofed a Union of Catholic Asian News article about Hong Kong’s national security law and repurposed an academic text titled "QUM, IL VATICANO DELL’ISLAM.doc." Network traffic analysis confirmed ongoing communications between RedDelta’s infrastructure and Vatican hosts from mid-May through at least July 21, 2020.
The campaign also targeted the mail servers of the Catholic Diocese of Hong Kong and PIME’s international missionary center in Italy during June and July 2020. Recorded Future’s RAT controller detections identified concurrent Poison Ivy and Cobalt Strike Beacon C2 infrastructure interacting with Vatican systems. RedDelta’s PlugX variant exhibited distinct encryption methods and configuration mechanisms compared to versions used by the overlapping threat group Mustang Panda, though both groups shared victimology patterns and traditional Chinese state-sponsored tools. The targeting aligned with Chinese strategic objectives to monitor the Vatican’s negotiating position ahead of the diplomatic agreement renewal, consolidate control over underground Catholic churches, and gather intelligence on Hong Kong’s Catholic leadership amid pro-democracy protests and the new national security law. Researchers attributed the activity to RedDelta based on infrastructure reuse, victim alignment with Chinese geopolitical interests, and operational security failures despite employing well-documented malware. No public disclosures indicated successful data exfiltration scope or specific operational disruptions to the targeted entities.