🀄 Chinese Hackers Hid Inside US Research Networks for Two Years — Stole Emails via Google Workspace
16 June 2026 — A Chinese state-sponsored espionage group known as UNC6508 has been caught hiding inside North American medical, academic, and military research networks since September 2023 — stealing sensitive research and defence emails using a surprisingly simple technique.
How They Got In
The attackers compromised REDCap (Research Electronic Data Capture) servers — a web platform used by hospitals and universities to manage study databases. Once inside, they:
- Deployed custom malware called INFINITERED that hijacked REDCap's own system files
- Stole usernames and passwords from the login page
- Used those credentials to move into internal networks
- Escalated to domain administrator access
The INFINITERED malware was particularly clever — it hid inside REDCap's upgrade process so each update would re-infect the server instead of clearing it.
How They Stole the Emails
This is the part that security researchers are calling innovative:
Instead of deploying malware on the mail server, the attackers used Google Workspace content compliance rules — a legitimate admin feature designed to scan emails for policy violations.
They created a rule (misspelled "Patroit") that watched for nearly 150 keywords, search terms, and email addresses. When a message matched, Workspace silently BCC'd it to an attacker-controlled Gmail address.
No malware on the mail server. No unusual network traffic. No separate exfiltration tool. Just a built-in feature turned against them.
What They Were After
The keywords reveal the group's intelligence priorities:
- Geo-strategic policy — including sensitive defence strategy
- Military equipment — specific weapons systems
- Advanced technology — AI, uncrewed vehicles
- Offensive cyber programs
- Medical research — including chikungunya (a virus linked to a 2025 outbreak in China)
What This Means for UK Organisations
While this campaign targeted North American networks, the techniques are globally applicable. If you use:
- REDCap — patch externally facing servers and remove old versions
- Google Workspace — audit your content compliance rules for unexpected forwarding
- Microsoft 365 — similar mailbox forwarding rules exist and should be checked
How to Protect Your Organisation
- Audit email forwarding rules — check for unexpected forwarding or BCC rules
- Patch REDCap servers — don't keep old versions running alongside new ones
- Review admin accounts — ensure only authorised personnel have domain admin rights
- Monitor for anomalous mailbox rules — especially rules that forward to external addresses
- Enable logging — track compliance rule changes in Google Workspace admin console
Source: The Hacker News / Google Threat Intelligence Group (GTIG)