- Google GTIG exposes UNC6508, a PRC‑linked group exploiting REDCap servers with custom INFINITERED malware
- Attackers stole credentials, exfiltrated sensitive data via manipulated compliance rules, and hid for over a year
- Gmail accounts tied to campaign disabled; admins urged to enforce phishing‑resistant MFA, device‑bound sessions, and advanced protections
For more than a year, Chinese state-sponsored threat actors have been lurking in servers belonging to North American academic, medical, and military research organizations, deploying bespoke malware and exfiltrating sensitive files, experts have warned.
Google Threat Intelligence Group (GTIG) published a new report detailing the recent works of UNC6508, a People's Republic of China (PRC)-nexus threat actor, who allegedly managed to exploit externally facing Research Electronic Data Capture (REDCap) servers to deploy a custom piece of malware called INFINITERED.
Through this malware they stole login credentials, allowing them to access the servers’ contents and remain undetected for more than a year. They then moved laterally throughout the network, exfiltrating sensitive data using a novel technique of manipulating domain content compliance rules.
"Patroit"
Google says content compliance rules are a “legitimate feature present in many cloud-based enterprise productivity suites”. Using admin accounts, the attackers created specific rules to manage email messages that contained matching predefined sets of words, phrases, and text patterns.
They named the rule “Patroit” and tasked it to BCC-forward certain emails to actor-controlled Gmail addresses.
Google has since disabled the Gmail accounts associated with this threat actor and this campaign.
In the blog, the researchers gave a rather extensive list of things admins should do to make sure they’re safe from UNC6508 and similar actors, including enforcing phishing-resistant 2-factor authentication, enrolling highly sensitive accounts into the Advanced Protection Program, and enforcing Device Bound Session Credentials with CAA for highly sensitive accounts to prevent cookie theft.
“The campaign targeted a diverse set of national, state, and private medical entities,” Google stressed. “These organizations comprise world-renowned clinical providers, premier academic centers, North American military health institutions, professional advocacy groups, and health regulatory bodies."
"Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military readiness. They employ thousands of people with a combined research budget in the billions of dollars.”
