🀄 Chinese Hackers Hid Inside US Research Networks for Two Years — Stole Emails via Google Workspace

16 June 2026 — A Chinese state-sponsored espionage group known as UNC6508 has been caught hiding inside North American medical, academic, and military research networks since September 2023 — stealing sensitive research and defence emails using a surprisingly simple technique.

How They Got In

The attackers compromised REDCap (Research Electronic Data Capture) servers — a web platform used by hospitals and universities to manage study databases. Once inside, they:

  1. Deployed custom malware called INFINITERED that hijacked REDCap's own system files
  2. Stole usernames and passwords from the login page
  3. Used those credentials to move into internal networks
  4. Escalated to domain administrator access

The INFINITERED malware was particularly clever — it hid inside REDCap's upgrade process so each update would re-infect the server instead of clearing it.

How They Stole the Emails

This is the part that security researchers are calling innovative:

Instead of deploying malware on the mail server, the attackers used Google Workspace content compliance rules — a legitimate admin feature designed to scan emails for policy violations.

They created a rule (misspelled "Patroit") that watched for nearly 150 keywords, search terms, and email addresses. When a message matched, Workspace silently BCC'd it to an attacker-controlled Gmail address.

No malware on the mail server. No unusual network traffic. No separate exfiltration tool. Just a built-in feature turned against them.

What They Were After

The keywords reveal the group's intelligence priorities:

  • Geo-strategic policy — including sensitive defence strategy
  • Military equipment — specific weapons systems
  • Advanced technology — AI, uncrewed vehicles
  • Offensive cyber programs
  • Medical research — including chikungunya (a virus linked to a 2025 outbreak in China)

What This Means for UK Organisations

While this campaign targeted North American networks, the techniques are globally applicable. If you use:

  • REDCap — patch externally facing servers and remove old versions
  • Google Workspace — audit your content compliance rules for unexpected forwarding
  • Microsoft 365 — similar mailbox forwarding rules exist and should be checked

How to Protect Your Organisation

  1. Audit email forwarding rules — check for unexpected forwarding or BCC rules
  2. Patch REDCap servers — don't keep old versions running alongside new ones
  3. Review admin accounts — ensure only authorised personnel have domain admin rights
  4. Monitor for anomalous mailbox rules — especially rules that forward to external addresses
  5. Enable logging — track compliance rule changes in Google Workspace admin console

Source: The Hacker News / Google Threat Intelligence Group (GTIG)