Chinese Hackers Stole US Research Data for Over a Year: Google
Key Takeaways
- Hackers operated undetected from September 2023 to November 2025, targeting academic, medical, and military research facilities
- The group exploited vulnerabilities in REDCap, a widely-used research data management tool, to gain initial access
- Attackers set up automated email forwarding using nearly 150 keywords related to defense, AI, and medical research
14 Months of Undetected Access
A Chinese-linked hacking group infiltrated U.S. and Canadian research institutions and remained hidden for more than a year, stealing data related to defense, artificial intelligence, and medical research. Google's Threat Intelligence Group disclosed the campaign on Monday, identifying the attackers as UNC6508.
The operation ran from September 2023 to November 2025. During this period, hackers targeted information on defense intelligence, military strategy in the Indo-Pacific, unmanned vehicles, cyber warfare programs, and medical research. Google did not name the specific organizations but said they collectively employ thousands of people with combined research budgets in the billions of dollars.
How the Hackers Got In
The attackers exploited vulnerabilities in REDCap, a web application widely used by universities and nonprofits to build and manage online surveys and research databases. REDCap is a trusted tool in academic and clinical research environments, which made it an effective entry point.
Using custom-built malicious software, the hackers stole legitimate REDCap login credentials to access targeted networks. Google's report identifies the malware family as INFINITERED, a trojanized REDCap system file designed for long-term persistence.
“The actors focused on stealth, bypassing traditional security by exploiting administrative tools and abusing trusted research software.”
— Google Threat Intelligence Group, Official Report
Once inside, the attackers set up automated email forwarding. Emails containing any of nearly 150 specific keywords were redirected to a Gmail account they controlled. The keywords included phone numbers and email addresses of people at targeted organizations, along with terms related to geo-strategic policy, military strategy, advanced technology, and medical research.
Why REDCap Made an Effective Target
REDCap is not a household name, but it is standard infrastructure in academic research. The platform handles electronic data capture for clinical trials, translational research, and public health studies. Its widespread adoption in secure research environments made it a high-value target.
By compromising this trusted tool, hackers established a persistent backdoor into some of the most sensitive research environments in North America. The approach reflects a broader trend in cyberespionage: instead of attacking hardened perimeter defenses, attackers target trusted software that security teams are less likely to scrutinize.
Another recent example of attackers exploiting trusted enterprise software
Attribution and Chinese Government Denials
Luke McNamara, deputy chief analyst at Google Threat Intelligence Group, said UNC6508's methods are broadly consistent with Chinese-linked hacking activity observed over many years. The focus on gathering information likely to interest the Chinese government fits established patterns.
The Chinese Embassy in Washington did not respond to a request for comment. Beijing regularly denies carrying out or condoning illicit hacking activity.
UNC6508 is a relatively new and little-known cyberespionage player. This campaign is among the first public disclosures of its operations.
What Was Targeted
The scope of targeted research was broad. According to Google, the compromised organizations worked on drug discovery, clinical trials, public health policy, and military readiness. The attackers were specifically interested in defense intelligence, Indo-Pacific military strategy, AI development, unmanned vehicle technology, and cyber warfare programs.
- Defense intelligence and military strategy documents
- Artificial intelligence research and development
- Unmanned vehicle and drone technology
- Cyber warfare programs and capabilities
- Medical research including drug discovery and clinical trials
- Public health policy information
“This campaign represents a sophisticated, long-term effort to exfiltrate critical research data, impacting national security and competitive advantage in emerging technologies.”
— Cybersecurity Analyst, Industry Briefing
Detection and Notification
Google eventually identified multiple compromised organizations across the U.S. and Canada. The company notified each affected institution after detection. REDCap did not respond to a request for comment.
The campaign's discovery highlights both the sophistication of state-linked hacking groups and the challenges research institutions face in securing specialized software. Security discussions on HackerNews and Reddit emphasized that research tools often prioritize functionality over security, and their rapid adoption outpaces security hardening.
Living Off the Land
Cybersecurity professionals noted that UNC6508's approach exemplifies "living off the land" tactics. Instead of deploying obvious malware that triggers security alerts, the attackers used legitimate administration tools to move through networks. This made their activity harder to distinguish from normal operations.
The technique is not new, but its application against research institutions shows how attackers adapt proven methods to new targets. Organizations with specialized software stacks face particular risks because security teams may lack visibility into niche applications.
Logicity's Take
Frequently Asked Questions
What is UNC6508?
UNC6508 is a newly identified Chinese-linked hacking group that Google's Threat Intelligence Group attributes to a 14-month cyberespionage campaign targeting U.S. and Canadian research institutions.
What is REDCap and why was it targeted?
REDCap is a web application used by universities and research organizations to manage surveys and databases for clinical and translational research. Its trusted status in secure environments made it an effective entry point for attackers.
What data did the hackers steal?
The hackers targeted information on defense intelligence, military strategy, artificial intelligence, unmanned vehicles, cyber warfare programs, and medical research including drug discovery and clinical trials.
How were the hackers eventually detected?
Google's Threat Intelligence Group identified the campaign and notified affected organizations. The specific detection method was not disclosed.
Has China acknowledged involvement?
No. The Chinese Embassy in Washington did not respond to requests for comment, and Beijing regularly denies carrying out or condoning illicit hacking activity.
Need Help Implementing This?
Source: Tech-Economic Times / ET
Manaal Khan
Tech & Innovation Writer
اقرأ أيضاً
رأي مغاير: كيف يؤثر اختراق الأمن الداخلي الأميركي على شركاتنا الخاصة؟
في ظل اختراق عقود الأمن الداخلي الأميركي مع شركات خاصة، نناقش تأثير هذا الاختراق على مستقبل الأمن السيبراني. نستعرض الإحصاءات الموثوقة ونناقش كيف يمكن للشركات الخاصة أن تتعامل مع هذا التهديد. استمتع بقراءة هذا التحليل العميق
الإنسان في زمن ما بعد الوجود البشري: نحو نظام للتعايش بين الإنسان والروبوت - Centre for Arab Unity Studies
في هذا المقال، سنناقش كيف يمكن للبشر والروبوتات التعايش في نظام متكامل. سنستعرض التحديات والحلول المحتملة التي تضعها شركات مثل جوجل وأمازون. كما سنلقي نظرة على التوقعات المستقبلية وفقًا لتقرير ماكنزي
إطلاق ناسا لمهمة مأهولة إلى القمر: خطوة تاريخية نحو استكشاف الفضاء
تعتبر المهمة الجديدة خطوة هامة نحو استكشاف الفضاء وتطوير التكنولوجيا. سوف تشمل المهمة إرسال رواد فضاء إلى سطح القمر لconducting تجارب علمية. ستسهم هذه المهمة في تطوير فهمنا للفضاء وتحسين التكنولوجيا المستخدمة في استكشاف الفضاء.