Google says Chinese hackers breached Workspace’s security to target “a diverse set of domestic, state, and private medical entities,” including research and defense organizations.

Google GTIG Exposes UNC6508, PRC-Linked Group Exploiting REDCap Servers With Custom INFINITERED Malware
The attackers stole credentials, exfiltrated sensitive data via manipulated compliance rules, and went into hiding for over a year.
Gmail accounts linked to the campaign disabled; admins are encouraged to apply phishing-resistant MFA, device-linked sessions, and advanced protections

For more than a year, Chinese state-sponsored threat actors have been hiding in servers belonging to North American academic, medical and military research organizations, deploying custom malware and exfiltrating sensitive files, experts have warned.

Google Threat Intelligence Group (GTIG) has released a new report detailing the recent work of UNC6508, a threat actor linked to the People’s Republic of China (PRC), which allegedly successfully exploited external Research Electronic Data Capture (REDCap) servers to deploy custom malware called INFINITERED.

Using this malware, they stole login credentials, allowing them to access server content and remain undetected for over a year. They then moved laterally across the network, exfiltrating sensitive data using a new technique for manipulating domain content compliance rules.

“Patriot”

Google says content compliance rules are a “legitimate feature found in many cloud-based business productivity suites.” Using administrator accounts, the attackers created specific rules to handle email messages containing predefined sets of words, phrases, and matching text patterns.

They named the rule “Patroit” and tasked it with forwarding certain BCC emails to actor-controlled Gmail addresses.

Google has since disabled the Gmail accounts associated with this threat actor and campaign.

In the blog, the researchers gave a fairly long list of things administrators should do to ensure they are safe from UNC6508 and similar actors, including enforcing phishing-resistant 2-factor authentication, enrolling highly sensitive accounts in the Advanced Protection program, and enforcing device-bound session credentials with CAA for highly sensitive accounts to prevent cookie theft.

“The campaign targeted a diverse set of national, state and private medical entities,” Google highlighted. “These organizations include world-renowned clinical providers, leading academic centers, North American military health institutions, professional advocacy groups and health regulatory agencies. »

“Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military preparedness. They employ thousands of people with a combined research budget of billions of dollars.