A cyber espionage group linked to China infiltrated North American medical, academic, and defense research networks, extracting sensitive information over a prolonged period. This breach involved manipulating Google Workspace settings to divert important emails to accounts under their control.
Infiltration of Research Networks
Hackers accessed these networks through a vulnerability in REDCap servers, which are typically used by hospitals and universities to manage research data. By compromising these servers, the group, identified as UNC6508 by Google’s Threat Intelligence Group (GTIG), acquired login credentials, allowing them to embed themselves within the network.
Google’s report, released recently, connects UNC6508 with previous cyber activities against the defense sector. Although the specific organizations affected were not named, they encompass clinical, academic, and military health entities across the United States and Canada. Google has taken steps to alert these organizations and dismantle the cyber group’s infrastructure.
Methods of Entry and Malware Deployment
REDCap, a data management platform, served as the entry point for UNC6508. The cyber group exploited vulnerabilities in externally accessible REDCap servers. While the exact method of initial access remains unclear, probes into older software versions were observed.
Several months post-compromise, custom malware, dubbed INFINITERED, was introduced. This malware modified REDCap’s system files, ensuring persistence by reapplying itself during software upgrades. It also captured login details and served as a backdoor, receiving commands via cookies.
The group’s activities date back to at least September 2023, continuing until November 2025. Once inside the servers, the attackers conducted reconnaissance, obtained credentials, and escalated privileges to access domain administrator accounts.
Exploitation of Google Workspace Rules
UNC6508 leveraged Google Workspace’s content compliance features to steal emails. This legitimate tool was manipulated to forward messages containing specific keywords to an external Gmail account controlled by the attackers. Google has since disabled this account.
The keywords targeted sensitive areas such as strategic policies, military equipment, advanced technologies, and medical research, highlighting the group’s priorities. The use of domain content compliance rules for such purposes had not been previously observed in China-linked attacks, according to GTIG.
Recommendations for Defense
Organizations should start by securing their REDCap servers, updating software, and eliminating outdated versions to prevent similar breaches. On the email front, it’s crucial to review and audit content compliance and mail-forwarding settings to ensure no unauthorized rerouting of emails. Implementing multi-factor authentication for administrator accounts can also mitigate risks, as admin access was pivotal in this attack.
While the exact method of initial access to REDCap servers remains unknown, scrutinizing mail rule changes is vital. Once attackers gain admin privileges, legitimate cloud features can be repurposed for data exfiltration, highlighting the need for comprehensive security audits.
