State-sponsored hackers targeted Vatican computer networks just weeks before the provisional agreement between China and the Holy See is due to be renewed, according to a report released Tuesday.

The analysis, published Sept. 15, said that hackers had continued to focus on the Vatican and other Catholic organizations even after their activities were publicized in July.

The report was compiled by the Insikt Group, the research arm of the U.S.-based cybersecurity company Recorded Future.

Earlier this year, the organization announced that it had uncovered “a cyberespionage campaign attributed to a suspected Chinese state-sponsored threat activity group,” which it referred to as RedDelta.

In an update on its investigation, the Insikt Group said that it had recorded a burst of activity by RedDelta shortly before an official signaled that People’s Republic of China (PRC) was open to extending a two-year provisional agreement with the Vatican over the appointment of bishops.

“On September 10, 2020, China’s Foreign Ministry announced that the 2018 PRC-Holy See deal had been ‘implemented successfully,’ with a renewal of the deal expected to be announced in the coming weeks,” the Insikt Group said.

“The timing of this announcement was preceded by RedDelta activity targeting the Vatican network dying down one week prior, and follows a Rome visit in late August from Chinese foreign minister Wang Yi, suggesting that the group’s intelligence tasking requirement may have been achieved or no longer required.”

Researchers said it was not clear whether RedDelta had succeeded in regaining access to the Vatican network. But they argued that the group’s efforts to do so underlined the Chinese Communist Party’s determination to increase its oversight of Catholics in China.

When they released their initial report in July, investigators said that RedDelta had homed in on the Vatican and the Catholic Diocese of Hong Kong from early May. Other Catholic targets included the Hong Kong Study Mission to China and the Pontifical Institute for Foreign Missions (PIME) in Italy.

The Insikt Group cited a prior report that hackers had used a condolence message, purportedly written by Vatican Secretary of State Cardinal Pietro Parolin and dated May 14, as a “lure document.”

Parolin and the Secretariat of State did not respond to CNA’s request for comment on the claim when it was reported in July.

The Insikt Group also identified two other “phishing lures.” The first was a news report attributed to the news agency Union of Catholic Asian News (UCA News) about the new Hong Kong security law. The second was taken from an article in Italian about the Iranian city of Qom by the academic Franco Ometto.

In its new study, the Insikt Group said that RedDelta ceased its activities immediately after the publication of its initial report July 28.

“However, this was short-lived, and within 10 days, the group returned to its targeting of the Hong Kong Catholic Diocese mail server, and within 14 days, a Vatican mail server,” it said.

“This is indicative of RedDelta’s persistence in maintaining access to these environments for gathering intelligence, in addition to the group’s aforementioned high risk tolerance.”

Parolin said Monday that he expected that the Vatican would renew the China deal, which was signed on Sept. 22, 2018 and is due to expire in October.

“With China, our current interest is to normalize the life of the Church as much as possible, to ensure that the Church can live a normal life, which for the Catholic Church is also to have relations with the Holy See and with the Pope,” Parolin said Sept. 14, according to Italian bishops’ news agency SIR.

The Insikt Group concluded that RedDelta was willing to risk exposure in order to gain access to confidential information.

It said: “Given the continued RedDelta activity despite extensive public reporting, we expect the group to continue operating with a high operational tempo with minor tweaks in TTPs [Tactics, Techniques, and Procedures].”

“In previous reporting, we highlighted the group’s targeting of entities such as religious organizations and non-governmental organizations (NGOs), which often lack the ability or will to adequately invest in security and detection measures. This likely further fuels the group’s willingness to reuse publicly known infrastructure and TTPs.”