A built-in Google Workspace feature became a Chinese espionage group's favourite exfiltration tool

TL;DRChina-linked UNC6508 backdoored REDCap servers at US and Canadian research institutions, then used Google Workspace mail rules to steal email.

A China-linked espionage group spent more than a year inside North American medical, academic, and military research networks, stealing sensitive data and defence email. The attackers got in through a backdoor on REDCap research servers. The exfiltration method was the unusual part: they rewired the victims’ own Google Workspace rules to copy matching messages to an inbox they controlled.

Google’s Threat Intelligence Group laid out the campaign in a report published this week, attributing it with high confidence to a cluster it tracks as UNC6508. The victims span clinical providers, academic centres, military health institutions, advocacy groups, and health regulators across the United States and Canada. Google says it notified the affected organisations and disrupted the group’s infrastructure.

UNC6508 is not a new name. Google first surfaced the group in February in a broader report on state-backed attacks against the defence sector. What is new is the full picture of how the group operated once inside.

The entry point was REDCap, short for Research Electronic Data Capture, a web platform that hospitals and universities use to build and manage clinical study databases. UNC6508 compromised externally facing REDCap servers. Google has not identified the initial access vector, named a specific CVE, or listed affected versions, though it observed the group probing older, vulnerable installations.