Hackers believed to be backed by the Chinese government hit members of the Hong Kong Catholic Church in a series of spear-phishing operations.
A report from news site ZDNe said the attacks, which were traced back to May, were revealed by a malware analyst who goes online by the pseudonym of Arkbird.
The hacking attacks came to light as Hong Kong’s church leaders openly backed pro-democracy protests despite warnings from the Vatican for clergy to remain neutral.
Cardinal Joseph Zen, bishop emeritus of Hong Kong, earlier warned that new security laws imposed by Beijing on Hong Kong can lead to a clamp down on religious freedom.
China’s parliament passed a national security legislation for Hong Kong on June 30, setting the stage for the most radical changes to the former British colony’s way of life.
A week before the full provisions of the new security law was released, Cardinal Tong Hon, apostolic administrator of the Hong Kong Diocese, voiced his support for the proposed law.
Malware analyst Arkbird told ZDNet he discovered malware samples typically associated with Chinese state groups uploaded on VirusTotal.
The malware files were ZIP and RAR archives containing Windows executable files.
According to sandbox analysis, unpacking and running the files starts a legitimate app like Microsoft Word or Adobe Reader.
The legitimate apps load a lure document, such as communications from Vatican officials.
Arkbird says that alongside the legitimate apps and the lure documents, a malicious DLL file is also loaded that installs malware on the victim’s computer, using a technique known as DLL-sideloading.
Fred Plan, malware analyst at Mandiant Threat Intelligence, told ZDNet that this particular version of the DLL-sideloading technique has been a staple of Chinese nation-state hacking groups for years.
Based on previous public reporting, Arkbird attributed the malware samples to a group known as Mustang Panda, a Chinese hacking group targeting religious groups, including Catholic organizations.
Arkbird published the findings on Twitter after receiving the go-ahead from Italian law enforcement, where a colleague also reported the attacks.