A China-linked espionage group maintained persistent access to U.S. and Canadian medical, academic, and military research networks for more than a year, quietly siphoning sensitive emails by abusing legitimate Google Workspace configuration features, according to a report by The Hacker News.
The campaign exploited an unusual and stealthy exfiltration method that underscores a growing class of cloud-native threats difficult to detect with conventional network monitoring.
Entry Point: A Backdoor on REDCap Research Servers
The attackers gained initial footholds through backdoors planted on servers running REDCap, a widely used open-source research data management platform commonly deployed in academic medical centers and university labs.
The REDCap backdoor was used to harvest login credentials from researchers and support staff, providing the threat actor with authenticated access to victims' cloud environments. Because REDCap instances often sit outside the direct oversight of enterprise security teams — frequently managed by research departments or individual labs rather than centralised IT — they represent a significant blind spot in many organisations' security posture.
The Unusual Exfiltration Technique
Rather than forwarding stolen emails to external addresses or deploying malware that could trigger endpoint detection, the attackers took a subtler approach. They modified email forwarding rules within the victims' own Google Workspace tenant, configuring the platform to automatically copy incoming messages — including sensitive research correspondence and defence-related communications — to attacker-controlled destinations.
This technique effectively turned a trusted, legitimate productivity tool into a data theft pipeline. Because the forwarding operates within Google's own infrastructure and uses the victim's authenticated session, the activity can blend seamlessly into normal cloud operations and evade traditional network-level monitoring.
The ability to remain undetected for over 12 months demonstrates considerable operational discipline. The attackers appeared to prioritise persistence and low-and-slow data collection over speed — a hallmark of state-sponsored espionage campaigns.
Why This Matters for Cloud Security
The incident highlights a critical shift in the threat landscape. As organisations move their communications and collaboration tools to cloud platforms, adversaries are adapting their tradecraft accordingly. Abusing built-in features like email rules, calendar permissions, or document-sharing settings avoids the need for custom malware and leaves fewer forensic artefacts.
Defending against such techniques requires a fundamentally different approach from traditional perimeter-focused security. Security teams should consider:
- Regularly auditing cloud configuration states, including email forwarding rules, inbox delegation, and OAuth application permissions within Google Workspace and Microsoft 365 tenants. Google Workspace's Admin Console audit logs and Alert Center can surface rule changes that may otherwise go unnoticed.
- Enforcing strict access controls and monitoring on research infrastructure such as REDCap, electronic lab notebooks, and institutional repository systems that may fall outside standard security tooling.
- Implementing alerting for new forwarding rules that direct mail to external domains, particularly those created by accounts that have not historically used such features.
- Monitoring for anomalous credential use, especially logins from unusual locations or devices following periods of inactivity.
Attribution and Broader Context
Google has attributed the campaign to a threat actor tracked as UNC6508, linking it to Chinese state-sponsored espionage operations. China-linked APT groups have a well-documented history of targeting research institutions, defence contractors, and government-adjacent organisations for intelligence collection — a pattern that makes academic and medical research networks especially attractive targets given the intellectual property and government-funded research they harbour.
The use of a ubiquitous research platform like REDCap as an initial access vector is particularly noteworthy. Many universities and hospitals deploy dozens of REDCap instances managed by individual research groups, each potentially representing an unmonitored entry point into the broader institutional network.
For technology professionals managing cloud environments and research infrastructure, this campaign serves as a reminder that the most dangerous threats often come not from exotic zero-day exploits, but from the creative misuse of tools that organisations already trust.
根據 The Hacker News 的報導,一個與中國有關聯的間諜組織在超過一年的時間裡,持續存取美國和加拿大的醫學、學術和軍事研究網絡,通過濫用合法的 Google Workspace 配置功能,悄悄竊取敏感的電子郵件。
這場攻擊行動利用了一種異常且隱蔽的數據外傳方法,突顯了一類日益增長的、難以透過傳統網絡監控偵測的 cloud native 威脅。
入口點:REDCap 研究伺服器上的後門程式
攻擊者透過在運行 REDCap 的伺服器上植入的後門程式獲得初步立足點。REDCap 是一個廣泛使用的開源研究數據管理平台,通常部署於學術醫療中心和大學實驗室。
REDCap 後門被用於收集研究人員和支援人員的登入憑證,為威脅行為者提供了對受害者雲端環境的驗證存取權限。由於 REDCap 實例通常處於企業安全團隊的直接監督之外——通常由研究部門或個別實驗室而非中央 IT 部門管理——它們構成了許多組織安全態勢中的一個重大盲點。
非常規的數據外傳技術
攻擊者並未將竊取的電子郵件轉發到外部地址或部署可能觸發端點偵測的惡意軟件,而是採取了一種更為隱蔽的方法。他們在受害者自身的 Google Workspace 租戶內修改電子郵件轉發規則,配置平台自動將傳入的訊息——包括敏感的研究通信和與國防相關的通信——複製到攻擊者控制的目的地。
這種技術有效地將受信任的合法生產力工具變成了數據竊取管道。由於轉發操作在 Google 自身的基礎設施內進行,並使用受害者的已驗證會話,相關活動可以無縫融入正常的雲端運作,並規避傳統的網絡層級監控。
能夠在超過 12 個月內不被發現,顯示出相當高的行動紀律。攻擊者似乎將持久性和低速、緩慢的數據收集置於速度之上——這是國家支持的間諜活動的典型特徵。
這對雲端安全為何重要
這一事件突顯了威脅形勢的一個關鍵轉變。隨著組織將其通信和協作工具遷移至雲端平台,對手也相應地調整其戰術。濫用內置功能(如電子郵件規則、日曆權限或文件共享設定)可避免定制惡意軟件的需求,並留下更少的數碼取證痕跡。
防禦此類技術需要一種與傳統以邊界為中心的安全方法根本不同的策略。安全團隊應考慮:
- 定期審核雲端配置狀態,包括 Google Workspace 和 Microsoft 365 租戶中的電子郵件轉發規則、收件箱委託和 OAuth 應用程式權限。Google Workspace 的管理控制台審核日誌和警報中心可以顯示那些可能被忽視的規則變更。
- 對研究基礎設施實施嚴格的存取控制和監控,例如 REDCap、電子實驗室筆記本和機構 repository 系統,這些可能不在標準安全工具覆蓋範圍內。
- 針對指向外部域名的新轉發規則實施警報,特別是由歷史上從未使用過此類功能的帳戶所創建的規則。
- 監控異常的憑證使用,尤其是在一段時間不活動後,從異常地點或設備進行的登入。
歸因與更廣泛的背景
Google 已將該攻擊行動歸因於一個追蹤編號為 UNC6508 的威脅行為者,並將其與中國國家支持的間諜行動聯繫起來。與中國關聯的 APT 組織在針對研究機構、國防承包商和政府相關組織以進行情報收集方面有著記錄充分的歷史——這種模式使得學術和醫療研究網絡因其承載的知識產權和政府資助研究而成為特別有吸引力的目標。
利用像 REDCap 這樣普遍的研究平台作為初始存取向量尤其值得注意。許多大學和醫院部署了由個別研究小組管理的數十個 REDCap 實例,每一個都可能代表一個進入更廣泛機構網絡的、未受監控的入口點。
對於管理雲端環境和研究基礎設施的技術專業人士而言,這場攻擊行動提醒我們,最危險的威脅往往並非來自罕見的零日漏洞利用,而是來自對組織已然信任的工具的創造性濫用。