Chinese Hackers Stole US Research Data for Over a Year: Google

Key Takeaways

• Hackers operated undetected from September 2023 to November 2025, targeting academic, medical, and military research facilities
• The group exploited vulnerabilities in REDCap, a widely-used research data management tool, to gain initial access
• Attackers set up automated email forwarding using nearly 150 keywords related to defense, AI, and medical research

14 Months of Undetected Access

A Chinese-linked hacking group infiltrated U.S. and Canadian research institutions and remained hidden for more than a year, stealing data related to defense, artificial intelligence, and medical research. Google's Threat Intelligence Group disclosed the campaign on Monday, identifying the attackers as UNC6508.

The operation ran from September 2023 to November 2025. During this period, hackers targeted information on defense intelligence, military strategy in the Indo-Pacific, unmanned vehicles, cyber warfare programs, and medical research. Google did not name the specific organizations but said they collectively employ thousands of people with combined research budgets in the billions of dollars.

How the Hackers Got In

The attackers exploited vulnerabilities in REDCap, a web application widely used by universities and nonprofits to build and manage online surveys and research databases. REDCap is a trusted tool in academic and clinical research environments, which made it an effective entry point.

Using custom-built malicious software, the hackers stole legitimate REDCap login credentials to access targeted networks. Google's report identifies the malware family as INFINITERED, a trojanized REDCap system file designed for long-term persistence.

“The actors focused on stealth, bypassing traditional security by exploiting administrative tools and abusing trusted research software.”

— Google Threat Intelligence Group, Official Report

Once inside, the attackers set up automated email forwarding. Emails containing any of nearly 150 specific keywords were redirected to a Gmail account they controlled. The keywords included phone numbers and email addresses of people at targeted organizations, along with terms related to geo-strategic policy, military strategy, advanced technology, and medical research.

Why REDCap Made an Effective Target

REDCap is not a household name, but it is standard infrastructure in academic research. The platform handles electronic data capture for clinical trials, translational research, and public health studies. Its widespread adoption in secure research environments made it a high-value target.

By compromising this trusted tool, hackers established a persistent backdoor into some of the most sensitive research environments in North America. The approach reflects a broader trend in cyberespionage: instead of attacking hardened perimeter defenses, attackers target trusted software that security teams are less likely to scrutinize.

Attribution and Chinese Government Denials

Luke McNamara, deputy chief analyst at Google Threat Intelligence Group, said UNC6508's methods are broadly consistent with Chinese-linked hacking activity observed over many years. The focus on gathering information likely to interest the Chinese government fits established patterns.

The Chinese Embassy in Washington did not respond to a request for comment. Beijing regularly denies carrying out or condoning illicit hacking activity.

UNC6508 is a relatively new and little-known cyberespionage player. This campaign is among the first public disclosures of its operations.

What Was Targeted

The scope of targeted research was broad. According to Google, the compromised organizations worked on drug discovery, clinical trials, public health policy, and military readiness. The attackers were specifically interested in defense intelligence, Indo-Pacific military strategy, AI development, unmanned vehicle technology, and cyber warfare programs.

• Defense intelligence and military strategy documents
• Artificial intelligence research and development
• Unmanned vehicle and drone technology
• Cyber warfare programs and capabilities
• Medical research including drug discovery and clinical trials
• Public health policy information

“This campaign represents a sophisticated, long-term effort to exfiltrate critical research data, impacting national security and competitive advantage in emerging technologies.”

— Cybersecurity Analyst, Industry Briefing

Detection and Notification

Google eventually identified multiple compromised organizations across the U.S. and Canada. The company notified each affected institution after detection. REDCap did not respond to a request for comment.

The campaign's discovery highlights both the sophistication of state-linked hacking groups and the challenges research institutions face in securing specialized software. Security discussions on HackerNews and Reddit emphasized that research tools often prioritize functionality over security, and their rapid adoption outpaces security hardening.

Living Off the Land

Cybersecurity professionals noted that UNC6508's approach exemplifies "living off the land" tactics. Instead of deploying obvious malware that triggers security alerts, the attackers used legitimate administration tools to move through networks. This made their activity harder to distinguish from normal operations.

The technique is not new, but its application against research institutions shows how attackers adapt proven methods to new targets. Organizations with specialized software stacks face particular risks because security teams may lack visibility into niche applications.

Frequently Asked Questions

What is UNC6508?

UNC6508 is a newly identified Chinese-linked hacking group that Google's Threat Intelligence Group attributes to a 14-month cyberespionage campaign targeting U.S. and Canadian research institutions.

What is REDCap and why was it targeted?

REDCap is a web application used by universities and research organizations to manage surveys and databases for clinical and translational research. Its trusted status in secure environments made it an effective entry point for attackers.

What data did the hackers steal?

The hackers targeted information on defense intelligence, military strategy, artificial intelligence, unmanned vehicles, cyber warfare programs, and medical research including drug discovery and clinical trials.

How were the hackers eventually detected?

Google's Threat Intelligence Group identified the campaign and notified affected organizations. The specific detection method was not disclosed.

Has China acknowledged involvement?

No. The Chinese Embassy in Washington did not respond to requests for comment, and Beijing regularly denies carrying out or condoning illicit hacking activity.

Source: Tech-Economic Times / ET