Chinese hackers, RedDelta, may have infiltrated Vatican ahead of talks


On Tuesday, Recorded Future, an international cybersecurity firm reported that RedDelta, a state-sponsored Chinese group, had been hacking the Vatican’s computer networks. 

The cyber infiltrations come during the lead-up to scheduled negotiations in September between the Catholic Church and the Chinese Communist Party (CCP) regarding control over the appointment of bishops and the status of churches in China.

The multiple hacks began in May, as the CCP began to crack down on Hong Kong dissidents and gain control of the Catholic Church and other religious groups in China.

Signup for the USA Herald exclusive Newsletter

The relationship between the Holy See, a group of informal Vatican diplomats based in Hong Kong, and Beijing has been very tense in the lead-up to the September talks and in the wake of pro-democracy protests begun last year Hong Kong. 

The September talks were widely believed to include the Church’s appointments of Catholic bishops in China and the status of Holy See’s Study Mission to China. The Holy See Mission group is better known as the “Underground Church.”

Recorded Future analyzed the hack attacks  

According to Recorded Future, RedDelta hackers targeted members of the Hong Kong Catholic Church in a series of spear-phishing operations traced back to May this year.

The Hill reported that the spear-phishing campaign used tactics mirrored by other Chinese-approved hacking operations. However, new techniques and computer code used in the hacks made it difficult to be 100% certain that RedDelta is the source.

One attack during the campaign was hidden in a fake letter from the Vatican to a Hong Kong chaplain, using a sophisticated replica of a letter from the official stationery of Archbishop Edgar Peña Parra. 

In an interview, a cybersecurity specialist who goes by the name Arkbird told ZDNet he discovered malware samples uploaded on VirusTota, a security website that aggregates antivirus products.

Uploaded as ZIP or RAR files, the files run legitimate programs such as Adobe Reader or Microsoft Word when unpacked, but those apps then load a lure document like the fake communications from Vatican officials.

Arkbird also revealed that the legitimate programs and lure documents sideload malicious DLL files that install malware on the victim’s computer.

The particular technique used is a staple of CCP hacking groups, according to an American malware analyst who also spoke with ZDNet.

The final piece of malware detected was a remote-access Trojan known as PlugX, which gives the attacker control over the victim’s computer. This enables access to the targeted victim’s sensitive data, account credentials, or financial information.

A secret agreement behind the phishing attempt

The Underground Church is loyal to the Catholic Church, not to the Chinese Patriotic Catholic Association (an arm of the CCP). Because of this, the underground church has been experiencing intensifying persecution since the secretive Vatican-China accord was reached in September 2018.

For many years President Xi Jinping has put a premium on boosting government oversight throughout China on several religions, including ordering crosses to be torn down from over a thousand churches from 2014 to 2016 and, more recently, establishing highly criticized detention centers for ethnic Uighurs, most of whom are Muslim.

The CCP’s new national security law prescribes harsh penalties such as life imprisonment for vaguely defined crimes, which led to protests and arrests in Hong Kong.


Have a story you want USA Herald to cover? Submit a tip here and if we think it’s newsworthy, we’ll follow up on it.

Want guaranteed coverage? We also offer contract journalism here.  Just be sure you’re comfortable giving up editorial control, because our journalists are dogged and will follow the story through to it’s conclusion. The story will be published to our exacting standards, without regard for your preferred slant.

Want to contribute a story? We also accept article submissions — check out our writer’s guidelines here.