Chinese Hackers Abused Google Workspace Rules to Steal Research and Defense Emails

A China-linked espionage group hid inside North American medical, academic, and military research networks for more than a year, quietly stealing sensitive research and defense email.

The way in was a backdoor on their REDCap research servers that stole login credentials. The exfiltration was the unusual part: the attackers rewired the victims' own Google Workspace rules to copy any message matching their keywords to an inbox they controlled.

Google's Threat Intelligence Group (GTIG) laid out the campaign in a report published this week and attributes it with high confidence to a cluster it tracks as UNC6508.

The actor and its REDCap backdoor are not new names; Google first surfaced both in February, in a wider report on state-backed attacks against the defense sector. It did not name the victims, describing them only as multiple organizations across the US and Canada: clinical providers, academic centers, military health institutions, advocacy groups, and health regulators.

Google says it notified them and disrupted the group's infrastructure.