Google’s Threat Intelligence Group disclosed an old, but newly discovered, espionage campaign against North American academic, medical, and military research organizations. The China-sourced attack targeted sensitive research and defense-related information in medical and military organizations with thousands of employees and combined research budgets in the billions of dollars.

According to Google, the attackers compromised externally facing REDCap servers, deployed custom malware, captured legitimate login credentials, moved into internal systems, and then abused enterprise administration tools to exfiltrate data. That combination made the activity harder to spot because much of the access appeared to come through valid credentials and legitimate cloud email functions.

The earliest known compromise went as far back as September 2023. Google said the threat actor remained undetected in affected environments for more than a year. Google said the victims included national, state, and private medical entities, academic centers, military health institutions, professional advocacy groups, and health regulatory bodies.

The entry point was REDCap, short for Research Electronic Data Capture. REDCap is a web application widely used by hospitals, universities, nonprofits, and research institutions to build and manage online databases and surveys. 

UNC6508 exploited externally facing REDCap servers and deployed custom malware named INFINITERED. The malware was used to capture legitimate REDCap login credentials. After establishing a foothold, the attackers performed reconnaissance, searched for credentials, obtained database and service account credentials, and eventually pivoted toward more sensitive internal systems. Google also observed the use of a web shell that helped maintain persistence inside the REDCap application.

One of the most important parts of the campaign was how the attackers stole email. Google said UNC6508 manipulated domain content compliance rules, a legitimate Google Workspace administrative feature, to silently copy emails that matched specific keywords to an attacker-controlled Gmail account. Reuters reported that nearly 150 keywords and search terms were used. Those terms included phone numbers and email addresses for people at targeted organizations, along with terms related to military strategy, advanced technology, geostrategic policy, and medical research.

What To Do Now?

Organizations using REDCap should ensure installations are fully updated and remove older versions that may remain accessible. Administrators should review externally facing REDCap servers, inspect for indicators of compromise, and validate whether credentials connected to those systems have been exposed or reused elsewhere. Cloud email administrators should audit content compliance rules, forwarding rules, routing rules, and administrative changes, especially any rules that copy or redirect messages externally.

Google also recommends stronger protection for administrator accounts, including phishing-resistant two-step verification, careful monitoring of audit logs, data loss prevention rules, and SIEM coverage for Workspace logs. These recommendations are useful beyond Google Workspace. The same principle applies across Microsoft 365, identity providers, research platforms, and other SaaS environments: built-in administrative features need governance, monitoring, and evidence trails.

The post China-Linked Hackers Targeted Medical and Military Research Through REDCap in Long-Running Attack  appeared first on Centraleyes.

*** This is a Security Bloggers Network syndicated blog from Centraleyes authored by Rebecca Kappel. Read the original post at: https://www.centraleyes.com/china-linked-hackers-targeted-medical-and-military-research-through-redcap-in-long-running-attack/