Norton Labs research: Cyberattacks originating from China continue to hit the Vatican

The Chinese government and the Vatican have long endured a strained relationship, with the two butting heads over the role and influence that the Catholic Church has in China. In an escalation of this tension, hackers backed by China appear to have once again infected computers at the Vatican with malware.

Researchers with Norton Labs, in partnership with wholly-owned subsidiary Avira, have discovered new evidence of these malware attacks.

This isn't entirely unexpected. Several other researchers and security companies in 2020 also found evidence of malware attacks against the Vatican that originated in China.

The attacks found by Norton Labs and Avira, though, had not yet been discovered. These malware attacks against the Vatican date back to several years before 2020. In addition, Norton Labs and Avira have discovered more recent attacks that were not previously uncovered by other organizations.

The research focuses on two separate malware attacks:

• The first involves a large malware campaign launched by Chinese threat actors against the Vatican and related Catholic Church groups from 2014 through 2016.
•  The second set of attacks discovered by Norton Labs researchers were launched on Vatican computers beginning in 2019.

It’s not certain yet that these two groups of attacks are related. Norton Labs, though, has found evidence that at least some of the threat actors have been involved in the two groups of malware attacks.

What’s behind the tensions between China and the Catholic Church?

The latest round of cyberattacks against the Vatican come at a key moment in the relationship between the Chinese government and the Catholic Church.

In 2018, Pope Francis approved seven bishops appointed by China as part of an accord designed to improve the relationship between the Vatican and the Chinese government. Last year, the Vatican and China extended this accord.

This is a major agreement. China has long demanded that it approve the appointment of Catholic bishops in China. The Catholic Church had long held that this should be a decision made by the Vatican.

The hope is that this agreement, in which the Chinese government will continue to recommend bishops that the Pope will then approve, will help improve relations between the Catholic church and China.

Although there is estimated to be about 10 million Catholics in China — a fraction of the 1.3 billion Catholics worldwide — the Chinese government has long been wary of the influence that the church has in the country. Beijing has approved several state-sanctioned churches in the country, but many Catholics prefer to attend underground congregations that are loyal to the Vatican. 

It’s unclear whether the cyberattacks discovered by Norton Labs will have an impact on the relationship between the Catholic Church and Beijing going forward.

Attack 1: PlugX malware detected among church connections

The first series of attacks discovered by Norton’s anti-malware technology — which covered the period of 2014 through 2016 — involved the malware known as PlugX, a Chinese trojan used by many hacker groups, as well as the trojan PoisonIvy.

Norton discovered the first malicious file on a user machine in France. Norton researchers then discovered a large cluster of similar malicious files. Most of these seemed to target persons or organizations connected with the Catholic Church, especially those working in Asia.

What's particularly notable here is that this cluster of malicious files is older than others that had been previously discovered by other online security experts. The PlugX and PoisonIvy attacks discovered by Norton spanned back to at least 2014, indicative of a long history of malware attacks launched at the center of the Roman Catholic Church.

Also interesting? The amount of malware that Norton researchers discovered. According to a research report from Norton, the company found more than 100 malware samples belonging to this cluster.

Attack 2: The Vatican intrusions

Norton researchers also uncovered a second series of cyberattacks. In these more recent attacks, Norton researchers detected unusual activity originating throughout 2019 from computers in the Vatican. Norton eventually discovered that 17 computers here were infected with malicious software.

This malware came in different forms. Norton says that some of these malware types were known — such as more examples of PlugX malware — while others were new. Many of the malware files  communicated with a main command and control hub based at two IP addresses.

Norton researchers say it is not evident which individuals were targeted by any of these malware attacks. But based on the structure of the attacks, it is likely that they have targeted Italian-speaking representatives of the Vatican and their associates, according to Norton's research.

What’s the outlook for more cyberattacks against the Vatican?

What does the future hold for the Vatican and the Chinese government? That’s difficult to say. But in their research report, Norton officials did say that they don’t expect similar cyberattacks to stop anytime soon.

What is certain? That everyone — from businesses to global organizations to individuals — must protect their laptops, smartphones, and other devices from cyberattacks. Most malware attacks don’t generate headlines. But without security software protection you are at increased risk for cyberattacks.

Review and download the Norton Labs technical report below. 

Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2021 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Other names may be trademarks of their respective owners.