Cyber Incident Victim: Hong Kong Study Mission to China
Date:
May 2020
Location:
Hong Kong
Summary
A Chinese state-sponsored cyberespionage group, RedDelta, targeted the Vatican and affiliated Catholic entities, including the Hong Kong Study Mission, using spearphishing lures and customized malware variants. The campaign aimed to gather intelligence on diplomatic negotiations between China and the Holy See, as well as monitor the Catholic Diocese's position regarding Hong Kong's pro-democracy movement. The group employed compromised accounts and malicious documents mimicking official communications, aligning with broader Chinese strategic objectives to exert control over religious activities and influence within the region.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
From early May 2020 through at least July 21, 2020, the Chinese state-sponsored threat group RedDelta conducted cyberespionage operations targeting the Vatican, the Hong Kong Study Mission to China, the Catholic Diocese of Hong Kong, and the Pontifical Institute for Foreign Missions (PIME) in Italy. The campaign employed spearphishing lures delivering customized PlugX malware variants alongside Poison Ivy and Cobalt Strike Beacon payloads. Attackers compromised Vatican mail servers and crafted decoy documents impersonating official Vatican correspondence addressed to the head of the Hong Kong Study Mission, a key diplomatic intermediary between Beijing and the Holy See. One lure replicated a legitimate Union of Catholic Asian News article discussing Hong Kong's national security law, while another used content from an Italian academic's writings about religious sites in Iran. Network traffic analysis revealed communications between PlugX command-and-control (C2) infrastructure—including the domain systeminfor[.]com—and Vatican hosts beginning in mid-May 2020.
The intrusions coincided with diplomatic negotiations preceding the anticipated September 2020 renewal of the provisional China-Vatican agreement, which granted Beijing increased oversight over China's underground Catholic community. Targeting focused on entities capable of providing intelligence about the Holy See's negotiating position and Hong Kong Catholic leaders' stance on pro-democracy protests following the territory's national security legislation. Compromising the Hong Kong Study Mission offered insights into the successor of a key architect of the 2018 agreement. The campaign demonstrated technical overlaps with the Mustang Panda threat group through shared C2 infrastructure and malware families but diverged through unique PlugX encryption methods and infection chains. RedDelta expanded targeting beyond religious entities to include Indian law enforcement agencies and an Indonesian government organization during the same period. Recorded Future's Insikt Group detected the activity through proprietary network traffic analysis and RAT controller monitoring, correlating Vatican host communications with known malicious infrastructure.