Posted: 4 Min ReadNorton Labs

Norton Labs research: Cyberattacks originating from China continue to hit the Vatican

With 10 million Catholics in China, tensions remain high between government and the church

The Chinese government and the Vatican have long endured a strained relationship, with the two butting heads over the role and influence that the Catholic Church has in China. In an escalation of this tension, hackers backed by China appear to have once again infected computers at the Vatican with malware.

Researchers with Norton Labs, in partnership with wholly-owned subsidiary Avira, have discovered new evidence of these malware attacks.

This isn't entirely unexpected. Several other researchers and security companies in 2020 also found evidence of malware attacks against the Vatican that originated in China.

The attacks found by Norton Labs and Avira, though, had not yet been discovered. These malware attacks against the Vatican date back to several years before 2020. In addition, Norton Labs and Avira have discovered more recent attacks that were not previously uncovered by other organizations.

The research focuses on two separate malware attacks:

  • The first involves a large malware campaign launched by Chinese threat actors against the Vatican and related Catholic Church groups from 2014 through 2016.
  •  The second set of attacks discovered by Norton Labs researchers were launched on Vatican computers beginning in 2019.

It’s not certain yet that these two groups of attacks are related. Norton Labs, though, has found evidence that at least some of the threat actors have been involved in the two groups of malware attacks.

What’s behind the tensions between China and the Catholic Church?

The latest round of cyberattacks against the Vatican come at a key moment in the relationship between the Chinese government and the Catholic Church.

In 2018, Pope Francis approved seven bishops appointed by China as part of an accord designed to improve the relationship between the Vatican and the Chinese government. Last year, the Vatican and China extended this accord.

This is a major agreement. China has long demanded that it approve the appointment of Catholic bishops in China. The Catholic Church had long held that this should be a decision made by the Vatican.

The hope is that this agreement, in which the Chinese government will continue to recommend bishops that the Pope will then approve, will help improve relations between the Catholic church and China.

Although there is estimated to be about 10 million Catholics in China — a fraction of the 1.3 billion Catholics worldwide — the Chinese government has long been wary of the influence that the church has in the country. Beijing has approved several state-sanctioned churches in the country, but many Catholics prefer to attend underground congregations that are loyal to the Vatican. 

It’s unclear whether the cyberattacks discovered by Norton Labs will have an impact on the relationship between the Catholic Church and Beijing going forward.

Attack 1: PlugX malware detected among church connections

The first series of attacks discovered by Norton’s anti-malware technology — which covered the period of 2014 through 2016 — involved the malware known as PlugX, a Chinese trojan used by many hacker groups, as well as the trojan PoisonIvy.

Norton discovered the first malicious file on a user machine in France. Norton researchers then discovered a large cluster of similar malicious files. Most of these seemed to target persons or organizations connected with the Catholic Church, especially those working in Asia.

What's particularly notable here is that this cluster of malicious files is older than others that had been previously discovered by other online security experts. The PlugX and PoisonIvy attacks discovered by Norton spanned back to at least 2014, indicative of a long history of malware attacks launched at the center of the Roman Catholic Church.

Also interesting? The amount of malware that Norton researchers discovered. According to a research report from Norton, the company found more than 100 malware samples belonging to this cluster.

Attack 2: The Vatican intrusions

Norton researchers also uncovered a second series of cyberattacks. In these more recent attacks, Norton researchers detected unusual activity originating throughout 2019 from computers in the Vatican. Norton eventually discovered that 17 computers here were infected with malicious software.

This malware came in different forms. Norton says that some of these malware types were known — such as more examples of PlugX malware — while others were new. Many of the malware files  communicated with a main command and control hub based at two IP addresses.

Norton researchers say it is not evident which individuals were targeted by any of these malware attacks. But based on the structure of the attacks, it is likely that they have targeted Italian-speaking representatives of the Vatican and their associates, according to Norton's research.

What’s the outlook for more cyberattacks against the Vatican?

What does the future hold for the Vatican and the Chinese government? That’s difficult to say. But in their research report, Norton officials did say that they don’t expect similar cyberattacks to stop anytime soon.

What is certain? That everyone — from businesses to global organizations to individuals — must protect their laptops, smartphones, and other devices from cyberattacks. Most malware attacks don’t generate headlines. But without security software protection you are at increased risk for cyberattacks.

Review and download the Norton Labs technical report below. 

File Attachments

Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2021 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Other names may be trademarks of their respective owners.

About the Author

Snorre Fagerland

Technical Director, Norton Labs

Snorre Fagerland has been working with malware detection and threat research for more than two decades and is the author of many research papers on malware and advanced threat actors. He currently works as a Technical Director in NortonLifeLock Labs.

About the Author

Armin Buescher

Sr. Principal Security Researcher, Norton Protection Labs

Armin Buescher is a security researcher and software engineer for Norton Protection Labs and is focused on the analysis of attack trends and development of novel detection technologies. He has more than 10 years of experience working in the security industry.

About the Author

Marcel Feller

Principal Security Researcher, Norton Protection Labs

Marcel is a security researcher with an extensive background in security operations, incident response, and threat intelligence. He specializes in phishing defense, malware analysis, reverse engineering, and web-related threats for Norton Protection Labs.

About the Author

Milo Salvia

Senior Security Researcher, Norton Protection Labs

Milo specializes in web-based threats, phishing defense and malware analysis, for Norton Protection Labs, pulling from extensive experience in enterprise incident response and security operations.

About the Author

Matteo Malvica

Principal Security Researcher

Matteo Malvica is a security researcher at Norton Protection Labs where he is focusing on vulnerability research, malware analysis, and reverse engineering.

About the Author

Shahab Hamzeloofard

Senior Software Engineer & Threat Researcher

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.