Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label China cyber espionage. Show all posts
UNC6508
China cyber espionage Google Threat Intelligence Group INFINITERED malware REDCap UNC6508

China-Linked Cyber Espionage Group Secretly Harvested Research and Defense Emails from North American Institutions

 

A sophisticated cyber espionage campaign linked to China infiltrated research, healthcare, academic, and military organizations across North America, remaining undetected for more than a year while stealing sensitive information and defense-related communications.

According to a recent report from Google’s Threat Intelligence Group (GTIG), the campaign has been attributed with high confidence to a threat cluster identified as UNC6508. The attackers gained access through compromised REDCap (Research Electronic Data Capture) servers and later leveraged built-in Google Workspace features to quietly collect targeted emails.

The threat actor and its custom malware, known as INFINITERED, were previously highlighted by Google in February during a broader assessment of state-sponsored attacks targeting the defense industry. While the affected organizations were not publicly named, the victims reportedly included healthcare providers, universities, military medical institutions, advocacy organizations, and regulatory agencies in the United States and Canada. Google stated that it alerted impacted entities and took action against the attackers’ infrastructure.

The attackers targeted externally accessible REDCap servers, a widely used platform that helps hospitals, research institutions, and universities manage study data and databases.

Although Google has not identified the precise method used to gain initial access, nor linked the activity to a specific vulnerability or CVE, investigators observed the group scanning older REDCap versions known to contain security weaknesses.

Roughly three months after breaching the servers, UNC6508 deployed INFINITERED, a customized malware strain designed to modify REDCap system files. The malware ensured long-term persistence by embedding itself into the platform’s update process, allowing malicious code to survive future software upgrades.

INFINITERED also captured usernames and passwords entered through REDCap login portals and stored the stolen credentials in encrypted form within local databases. Additionally, the malware functioned as a backdoor, accepting commands through HTTP cookies and executing them whenever users loaded web pages.

Researchers traced the earliest known compromise to September 2023, with malicious activity continuing through November 2025. After establishing a foothold, the attackers conducted network reconnaissance, collected database and service account credentials, and eventually escalated privileges to obtain domain administrator access.

Rather than deploying a separate data-exfiltration tool, the attackers exploited an existing Google Workspace administrative capability known as content compliance rules.

These rules are typically used by organizations to monitor emails for specific keywords and automatically apply actions such as forwarding or copying messages. UNC6508 created a malicious rule named "Patroit" that monitored nearly 150 keywords, email addresses, and search terms associated with its intelligence-gathering objectives.

Whenever an email matched the predefined criteria, Google Workspace automatically sent a hidden copy to an attacker-controlled Gmail account. Google has since disabled the account involved in the operation.

This technique allowed the threat actors to collect sensitive communications without installing malware on mail servers or generating suspicious network traffic. Instead, they relied entirely on legitimate cloud-based functionality to siphon information.

While email-forwarding rule abuse is already recognized within the MITRE ATT&CK framework, GTIG noted that using domain-level content compliance rules for espionage represented a previously unseen tactic among China-linked cyber actors.

Analysis of the monitoring rules revealed that UNC6508 was particularly interested in subjects related to geopolitical strategy, military technologies and equipment, artificial intelligence, autonomous and uncrewed systems, offensive cyber operations, and medical research.

One especially notable keyword was "chikungunya," a mosquito-borne disease linked to a significant outbreak in China's Guangdong province during 2025, suggesting the group's collection interests extended into public health and epidemiological research.

Security teams are advised to immediately update internet-facing REDCap servers and completely remove outdated software versions. Because REDCap allows multiple versions to operate simultaneously, legacy installations can create opportunities for downgrade attacks that exploit known vulnerabilities.

Organizations should also review Google Workspace and other cloud email environments for unusual content compliance rules, unauthorized mail forwarding settings, and external BCC destinations. Administrative audit logs should be examined to identify when rule changes occurred and who made them.

Google has also published indicators of compromise associated with INFINITERED, which defenders can use to search for signs of intrusion within their environments. Implementing phishing-resistant multi-factor authentication (MFA) for administrator accounts is another critical step, as the email theft operation ultimately depended on obtaining elevated administrative privileges.

Although investigators have not yet determined exactly how UNC6508 initially compromised the REDCap servers, the campaign demonstrates how legitimate cloud administration features can be weaponized once attackers gain sufficient access. As a result, organizations must monitor not only malware and network activity but also the misuse of trusted enterprise tools that can quietly facilitate data theft.

Read more »
Subscribe to: Posts (Atom)