Suspected Chinese hackers targeting Vatican in advance of Beijing negotiations

Chinese hackers with suspected linked to China's government have been targeting the Vatican, according to Recorded Future.
St. Peter's Basilica in Vatican City. Chinese hackers with suspected linked to the Chinese government have been targeting the Vatican, according to Recorded Future. (Getty Images)

Over the course of the last three months, hackers with suspected links to the Chinese government have been targeting the Vatican, according to research from security firm Recorded Future.

The targeting, which was delivered in a series of spearphishing emails with malware-laden documents imitating legitimate Vatican correspondence and news about Hong Kong’s national security law, appears to have begun in May of this year, Recorded Future researchers said. The suspected Chinese government hackers have also targeted mail servers of other Catholic entities, including an international missionary center in Italy and the Catholic Diocese of Hong Kong.

The hacking group appears to be linked with the China-based hacking group Mustang Panda, given several overlaps in techniques, infrastructure, and tooling, including a method for delivering malware that both groups employ as well as a method for obfuscating their attacks, the researchers said in a blog. However, given several different encryption mechanisms used in these hacks, Recorded Future contends the Vatican hackers are a separate, government-sponsored group, which they have dubbed RedDelta.

ZDNet first reported on one of the lures involved in the hacking.


China has long been interested in surveilling religious groups and has a history of running cyber intrusions to gather intelligence on Buddhist Tibetans and Muslim Uighurs, according to security researchers. And while some Chinese authorities have interpreted Christianity as a vector for the West to “subvert” the Chinese government, the suspected network intrusions would mark the first time Chinese government-linked operators had targeted the Vatican.

The attacks come just as the Vatican prepares to negotiate the operations of the Catholic Church in China come September, and the intrusion attempts could reflect Chinese authorities’ interests in monitoring the Vatican’s position on the discussion, Recorded Future researchers said in a blog. The negotiation, which will take place under the auspices of an agreement between the Vatican and Chinese authorities dating to 2018, are expected to cover the control and appointment of bishops in China.

The Chinese government’s interest in control over Christian churches in China has long embattled the Vatican in China. Various arms of the Chinese government have, at times, enacted restrictions on the practice of Christianity in China and have sought to suppress Christian churches, for instance. Since the Vatican severed diplomatic relations with China in 1951, the church has had to resort to underground operations in China.

The spearphishing attempts are likely linked with the China’s interests in reducing the perceived influence of China’s Catholic community, and could indicate China’s government’s interest in monitoring the position of Christians in Hong Kong on the pro-democracy demonstrations, Recorded Future assessed.

The stakes of the suspected network intrusions — including those in Hong Kong — could boil down to religious freedoms, persecution, and national security, especially given the new Hong Kong national security law, which broadly targets subversion of state power. In one potential flashpoint, some Catholics in Hong Kong, where China has been cracking down on democracy protests, have been urging the Vatican to voice support for the protests, according to FT. So far, the Vatican has distanced itself from the conversation, but banned political expression during mass. In another potential flashpoint, the Vatican recognizes Taiwan, which the Chinese government views as a breakaway province.


“This marks a possible precursor to increased limits on religious freedom within the special administrative region, particularly where it coincides with pro-democracy or anti-Beijing positions,” Recorded Future researchers said.

It wasn’t clear if any information or credentials were exfiltrated in the suspected network intrusions.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts