Google announced on Monday (June 15) that a cyber espionage hacker group affiliated with China’s Communist Party has been secretly stealing data from academic, medical, and military research institutions in the United States and Canada for over a year. Google has discovered and dismantled the malicious infrastructure of this organization.
According to the latest report by Google Threat Intelligence Group (GTIG), between September 2023 and November 2025, hackers extensively gathered sensitive information related to defense intelligence, military strategies in the Indo-Pacific region, artificial intelligence (AI), autonomous vehicle systems, cyber attack projects, and medical research.
Google did not specifically name the targeted organizations but revealed that they included public and private medical entities, top academic centers, and North American military medical institutions. These institutions are involved in critical areas such as molecular drug development, clinical trials, national public health policies, and military preparedness, employing thousands of staff with total research budgets amounting to billions of dollars.
Google attributed this cyber espionage operation to a newly emerging hacker group called “UNC6508.” Luke McNamara, deputy chief analyst of GTIG, pointed out that the group’s tactics closely mirror the observed activities of Chinese hackers over the years, with a core focus on collecting intelligence that may interest the Chinese government.
According to Reuters, the Chinese Embassy in Washington did not immediately respond to media requests for comments on these allegations. Beijing has consistently denied conducting or condoning illegal cyber intrusion activities.
The operation can be traced back to as early as September 2023. Hackers initially exploited vulnerabilities in external REDCap servers, deploying customized malicious software named “INFINITERED” to intercept legitimate login credentials.
After successfully infiltrating for over a year, UNC6508 used these credentials to penetrate the internal systems of the targeted networks and employed a highly covert new technique:
– Manipulation of Content Compliance Rules: Upon gaining access, hackers abused the built-in “Content Compliance Rules” feature of the email system.
– Precision Keyword Filtering: They set up nearly 150 specific keywords, including phone numbers, emails of personnel at the targeted institutions, and terms related to geopolitical, military strategies, advanced technologies, and medical research.
– Automatic Forwarding: Whenever an email triggered a keyword, the system would automatically and discreetly forward the email to a Gmail account controlled by the hackers.
A crucial detail revealed by Google security engineers is that one of the specific targets the hackers sought was related to research on “Chikungunya,” a virus transmitted by mosquitoes. This data collection operation coincided closely with the Chikungunya outbreak in Guangdong Province, China, in July 2025.
At the time of publication, there has been no response from REDCap regarding requests for comments.
Google stated that GTIG has confirmed several institutions in the US and Canada that were compromised and has notified all of them.
This counteraction was carried out jointly by GTIG in collaboration with cybersecurity companies Mandiant Consulting, the FLARE team, and the Workspace Security team. Experts combined threat intelligence, incident response, and reverse engineering techniques to outline the complete lifecycle of the hackers from initial intrusion to mission execution. Currently, relevant malicious indicators have been updated to Google SecOps for defense personnel to identify potential threats in the network.
