Cyber Incident Victim: Holy See
Date:
May 2020
Location:
Hong Kong
Summary
Chinese state-sponsored hackers infiltrated the Vatican's computer networks and its Hong Kong-based Study Mission to China ahead of sensitive negotiations regarding the Catholic Church's operations in the country. The cyber-espionage campaign, attributed to threat group RedDelta, involved customized PlugX malware delivered via a forged letter targeting key personnel. The intrusion aimed to gather intelligence on the Holy See's negotiating position and monitor relations with Hong Kong's Catholic Diocese amid pro-democracy protests and new security legislation. The attacks coincided with discussions to renew a provisional agreement on religious operations, reflecting broader patterns of Chinese cyber operations targeting religious minorities in the region.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-May 2020, cybersecurity firm Recorded Future detected a series of cyber intrusions targeting the Vatican’s computer networks and the Holy See’s Study Mission to China, a Hong Kong-based group representing Vatican interests. The attacks continued until at least July 21, 2020, coinciding with sensitive diplomatic negotiations scheduled for September 2020 regarding the renewal of a provisional agreement governing Catholic Church operations in China. Threat actors linked to the Chinese state-sponsored group RedDelta employed customized PlugX malware payloads, a remote access trojan commonly associated with espionage operations. Attackers concealed malicious code within a decoy document designed to appear as an official Vatican letter addressed to Msgr. Javier Corona Herrera, chaplain of the Hong Kong Study Mission. Recorded Future identified multiple command-and-control (C2) servers communicating with compromised Vatican systems during this period, confirming sustained network infiltration. The targeting extended to the Catholic Diocese of Hong Kong, indicating a broader campaign against Church-affiliated entities.
The intrusions provided RedDelta operators with potential access to diplomatic communications and strategic documents outlining the Holy See’s negotiating positions ahead of the bilateral agreement renewal. Compromise of the Hong Kong Study Mission’s systems additionally offered intelligence-gathering opportunities related to the diocese’s stance on Hong Kong’s pro-democracy movement and its interactions with Vatican leadership during widespread protests and implementation of the Hong Kong national security law. Recorded Future’s Insikt Group attributed the activity to Chinese state interests based on infrastructure patterns, malware signatures, and historical targeting of religious minorities by affiliated threat groups. The operation aligned with China’s documented cyber-espionage campaigns against Tibetan Buddhist and Uighur Muslim organizations. No public statements from the Vatican regarding incident response measures or network containment procedures were reported in the available source material.