A China-linked espionage group has been operating within North American medical, academic, and military research networks for over a year, successfully stealing sensitive emails related to research and defense. The attackers exploited a backdoor on REDCap servers to gain access to login credentials and subsequently manipulated Google Workspace rules to exfiltrate emails.
Method of Intrusion
The group, tracked by Google’s Threat Intelligence Group (GTIG) as UNC6508, compromised externally facing REDCap (Research Electronic Data Capture) servers, a platform commonly used by hospitals and universities. Google has not yet identified the specific initial access vector or any associated CVE IDs, although it has noted that the group was probing older, vulnerable versions of the software.
Deployment of Malware
Approximately three months after breaching the servers, UNC6508 deployed a custom malware known as INFINITERED. This malware modifies REDCap’s system files to achieve three main objectives: it hijacks the upgrade process to ensure that the malware persists through updates, collects usernames and passwords from the login page, and serves as a backdoor for the attackers to execute commands via HTTP cookies.
Exfiltration Tactics
The attackers utilized a feature within Google Workspace that allows for content compliance rules, which scan emails for specific keywords. By creating a rule that misspelled “Patriot” and monitored nearly 150 keywords and email addresses, UNC6508 was able to silently BCC matching messages to an email address they controlled. This method did not involve any malware on the mail server or unusual network traffic, relying instead on legitimate features of Google Workspace.
Recommendations for Mitigation
Organizations using REDCap are advised to patch their externally facing servers and remove outdated versions to prevent downgrade attacks. Additionally, it is crucial to review content compliance and mail-forwarding rules within Google Workspace for any unauthorized changes. GTIG emphasizes the importance of monitoring admin audit logs and implementing phishing-resistant multi-factor authentication (MFA) on administrator accounts to bolster security against similar attacks.
While Google has notified affected organizations and disrupted the group’s infrastructure, the initial access method remains unclear. This incident highlights the need for vigilance regarding built-in cloud features that could be exploited for data exfiltration.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
