We’ve now seen the full scope of a year of this activity: Google has put it on record that a China-tied entity was quietly making off with data from institutions in the U.S. and Canada. With defence, military, AI and medical research in their crosshairs, the campaign has some people on edge about how easily science can get pulled into a geopolitical tussle.
What Google uncovered
On Monday, Google’s Threat Intelligence Group put a name to it: UNC6508. It’s a newer, not-very-well-known hacking ring they have on their radar as being of Chinese origin. The way they go about their business is in line with what we’ve seen from other Chinese-linked operations over the years.
You can date the activity to a window between September 2023 and last November. In that time, the intruders were after everything from defence and Indo-Pacific military strategy to unmanned systems, cyber warfare, AI and medicine.
Google isn’t putting out any names, but the targets are big-time – think drug discovery, clinical trials, public health and military readiness. We’re talking about places with thousands of staff and multi-billion dollar R&D budgets. Once they were on to it, the organisations were made aware.
How the breach worked
If you go back to the earliest sign of trouble in September 2023, you’ll find the attackers had found a way in through REDCap, the web app many nonprofits use for their surveys and data. Some home-grown malware let them make off with valid credentials and get where they wanted to be.
Then they set up an automated way to siphon off any email with one of about 150 keywords to a Gmail of their own, according to our researchers. You’d see things like internal contact info or lingo related to geostrategy, new tech and the like.
REDCap didn’t get back to us when we asked for a comment. But Google has zeroed in on a number of compromised entities in the U.S. and Canada, which says something about the scale of what was at stake here.
Why this matters now
This was all about the kind of work that puts a nation in a better position, be it for the military or for health. Luke McNamara, who is deputy chief analyst with Google, says the type of intel they were after is the sort the Chinese government would be keen on.
It’s a reminder that you can be used to mine for insights with no one the wiser. A rule in a mailbox is all it takes to quietly make away with a lot of sensitive material over time.
Here’s the bottom line from Google’s side:
– We’re looking at a timeline of Sept. 2023 to Nov. 2025
– The group in question: UNC6508, a relative unknown
– They got in through the back door of a REDCap server
– And they exfiltrated mail by auto-forwarding on certain words
Official responses and the road ahead
We haven’t heard from the Chinese Embassy in Washington yet. Beijing has a habit of saying it has nothing to do with this kind of thing. For its part, Google has made the attribution and let the affected parties know.
The security types we spoke to are for a no-nonsense approach to shoring up your defences. They’ll tell you to look at Zero Trust and MFA, and to get on board with some of the new regulatory standards, like the Digital Personal Data Protection rules, as soon as you can.
And it’s not just here in North America. Over in the EU, for instance, you have state-sponsored hackers from China who are a thorn in the side. They prefer to be subtle and in it for the long haul, even if it means going after a small office device in Europe.
What to watch next
As the dust settles and responders do their job, we’ll likely see more come out. There will be some hard questions for institutions to answer about their third-party software and how they handle credentials, particularly with a platform like REDCap.
The message to those in the lab or in admin is plain: if you’re doing important work, there are people out there who want in. For the government, it’s a matter of keeping the lines of collaboration open while you protect what’s essential for your security and your edge.
