defense · TheHackerNews
A China-linked espionage group tracked as UNC6508 compromised externally facing REDCap (Research Electronic Data Capture) servers at North American medical, academic, and military research organizations, maintaining access for over a year beginning in September 2023. The group deployed custom malware called INFINITERED that hijacked REDCap's upgrade process, harvested login credentials, and functioned as a backdoor. After escalating to domain administrator privileges, the attackers abused Google Workspace's content compliance rules—a legitimate administrative feature—by creating a rule that silently copied emails matching approximately 150 keywords and addresses to an attacker-controlled Gmail inbox. Google's Threat Intelligence Group identified the technique as abuse of domain-level content compliance rules, which it had not previously observed from China-linked actors. The campaign affected multiple U.S. and Canadian organizations including clinical providers, academic centers, military health institutions, and health regulators.
Organizations in regulated sectors should treat this campaign as a critical case study in privilege-escalation risks and cloud-native exfiltration methods. Defense contractors handling CUI and military research institutions must audit externally facing legacy research platforms, enforce version pinning to prevent downgrade attacks, and review administrative access logs for unauthorized mail-rule creation. Healthcare providers and academic institutions subject to HIPAA, NIST 800-171, and similar frameworks should immediately review cloud email content compliance and forwarding rules for unexpected external routing, particularly those configured at the domain or tenant level. SaaS teams and healthcare systems in SOC2 observation should prioritize phishing-resistant MFA on all administrator accounts and conduct comprehensive audits of mail-forwarding and content-scanning policies. An Omniware engagement can scope REDCap patching, cloud mail-rule hygiene, and privilege-escalation controls tailored to your regulatory posture.
Source: The Hacker News - https://thehackernews.com/2026/06/chinese-hackers-abused-google-workspace.html
Source: TheHackerNews
All briefings