Interview with the Senior Threat Intelligence Analyst from Insikt Group, Recorded Future into the RedDelta Report, an analysis of how the Vatican and the Catholic Diocese of Hong Kong were among several Catholic Church-related organizations targeted by RedDelta, a Chinese-state sponsored threat activity group tracked by Insikt Group.

From early May 2020, this series of suspected network intrusions also targeted the Hong Kong Study Mission to China and the Pontifical Institute for Foreign Missions (PIME), Italy. These organizations have not been publicly reported as targets of Chinese threat activity groups prior to this campaign.

These network intrusions occurred ahead of the anticipated September 2020 renewal of the landmark 2018 China-Vatican provisional agreement, a deal which reportedly resulted in the Chinese Communist Party (CCP) gaining more control and oversight over the country’s historically persecuted “underground” Catholic community.

In addition to the Holy See itself, another likely target of the campaign includes the current head of the Hong Kong Study Mission to China, whose predecessor was considered to have played a vital role in the 2018 agreement. The suspected intrusion into the Vatican would offer RedDelta insight into the negotiating position of the Holy See ahead of the deal’s September 2020 renewal.

The identified RedDelta intrusions feature infrastructure, tooling, and victimology overlap with the threat activity group publicly reported as Mustang Panda (also known as BRONZE PRESIDENT and HoneyMyte). This includes the use of overlapping network infrastructure and similar victimology previously attributed to this group in public reporting, as well as using malware typically used by Mustang Panda, such as PlugX, Poison Ivy, and Cobalt Strike.

This podcast is a report walk through with the lead analyst and covers the background, overview of Catholic Church intrusions, other targeted organizations and the infrastructure analysis. In this campaign, RedDelta favored three primary IP hosting providers, and used multiple C2 servers within the same /24 CIDR ranges across intrusions.

Importantly, we also cover the key network defense recommendations corporations should be applying to deter and prevent such attacks.

Recorded 27 August between Sydney and London in recognition of Recorded Future being Platinum supporter of the Cyber Risk Meetups for 2020 - 2021