Google has uncovered and interrupted a prolonged espionage campaign tied to China that compromised US research institutions across academia, healthcare, and defense sectors. The threat group operated quietly within vulnerable networks for more than a year, accessing critical data at the intersection of public health and national security.
The intruders exploited weaknesses in REDCap, a widely used software for managing research data, to breach externally facing web applications. Using custom malware named INFINITERED, they stole login credentials that allowed them to move laterally into internal systems. The attackers then extracted information discreetly, leveraging legitimate administrative tools and circumventing typical security controls through domain content compliance abuses to exfiltrate sensitive data.
This espionage effort specifically targeted entities involved in defense intelligence, Indo-Pacific military operations, artificial intelligence development, uncrewed vehicle systems, cyber offense research, and medical science. The blend of military and healthcare information highlights how interconnected these sectors have become, creating expansive attack surfaces where clinical trials and strategy planning data coexist within the same vulnerable infrastructure.
Google worked alongside cybersecurity firm Mandiant Consulting to alert victims and enhance security defences by sharing technical indicators of compromise. The campaign, attributed to an actor it dubbed UNC6508, follows a prior similar attack on a US research organization in late 2023, demonstrating the attackers’ persistence and tactical patience.
Recognizing the widespread nature of these threats, Google currently tracks hundreds of threat actor groups, many targeting US organizations. It warns that healthcare data breaches have markedly increased, signaling an urgent need for robust identity protections across third-party networks and the adoption of multi-factor authentication to thwart credential theft and lateral movement.