ETDA ThaiCERT
Report
Search
Home > List all groups > RedDelta

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: RedDelta

NamesRedDelta (Recorded Future)
CountryChina China
SponsorState-sponsored
MotivationInformation theft and espionage
First seen2020
Description(Recorded Future) From early May 2020, The Vatican and the Catholic Diocese of Hong Kong were among several Catholic Church-related organizations that were targeted by RedDelta, a Chinese-state sponsored threat activity group tracked by Insikt Group. This series of suspected network intrusions also targeted the Hong Kong Study Mission to China and the Pontifical Institute for Foreign Missions (PIME), Italy. These organizations have not been publicly reported as targets of Chinese threat activity groups prior to this campaign.

These network intrusions occured ahead of the anticipated September 2020 renewal of the landmark 2018 China-Vatican provisional agreement, a deal which reportedly resulted in the Chinese Communist Party (CCP) gaining more control and oversight over the country’s historically persecuted “underground” Catholic community. In addition to the Holy See itself, another likely target of the campaign includes the current head of the Hong Kong Study Mission to China, whose predecessor was considered to have played a vital role in the 2018 agreement.

The suspected intrusion into the Vatican would offer RedDelta insight into the negotiating position of the Holy See ahead of the deal’s September 2020 renewal. The targeting of the Hong Kong Study Mission and its Catholic Diocese could also provide a valuable intelligence source for both monitoring the diocese’s relations with the Vatican and its position on Hong Kong’s pro-democracy movement amidst widespread protests and the recent sweeping Hong Kong national security law.

While there is considerable overlap between the observed TTPs of RedDelta and the threat activity group publicly referred to as Mustang Panda, Bronze President (also known as BRONZE PRESIDENT and HoneyMyte), there are a few notable distinctions which lead us to designate this activity as RedDelta:
• The version of PlugX used by RedDelta in this campaign uses a different C2 traffic encryption method and has a different configuration encryption mechanism than traditional PlugX.
• The malware infection chain employed in this campaign has not been publicly reported as used by Mustang Panda.

In addition to the targeting of entities related to the Catholic Church, Insikt Group also identified RedDelta targeting law enforcement and government entities in India and a government organization in Indonesia.
ObservedSectors: Government, Law enforcement and The Vatican and Catholic Church-related organizations.
Countries: Australia, Ethiopia, Hong Kong, India, Indonesia, Italy, Myanmar.
Tools usedCobalt Strike, PlugX, Poison Ivy.
Operations performedAug 2020RedDelta Resumes Its Targeting of the Vatican and Hong Kong Catholic Diocese
<https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf>
Information<https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf>

Last change to this card: 17 September 2020

Download this actor card in PDF or JSON format

Previous: RedCurl
Next: RevengeHotels

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key