Google disrupts China-linked spy campaign targeting US research institutions

Google has disrupted a China-nexus espionage campaign that spent more than a year inside North American academic, medical and military research networks, quietly collecting information that sits at the fault line between public health and national security. The targets included clinical providers, research centers, military health institutions, advocacy groups and regulators, underscoring how the research supply chain now links hospital systems, university labs and defense work into one vulnerable ecosystem.

Google Threat Intelligence Group said UNC6508 focused on defense intelligence, Indo-Pacific command operations, artificial intelligence, uncrewed vehicle systems, cyber offensive programs and medical research. That mix shows why hospitals and affiliated labs have become such valuable targets: the same networks that handle drug discovery, clinical trials and public health policy can also hold data relevant to military readiness and strategic planning. The earliest known compromise in the campaign dated to September 2023, and Google said the operation remained undetected for more than a year.

The intrusion started where many institutional networks are weakest, at externally facing web applications. Google said UNC6508 exploited vulnerable REDCap servers, used bespoke INFINITERED malware to steal login credentials and then reused those credentials to move deeper into internal systems. Once inside, the group used administrative tools to pull data out quietly, including a technique that abused domain content compliance rules for exfiltration, a reminder that espionage campaigns often ride on ordinary enterprise systems rather than exotic zero-day exploits alone.

Google said it worked with Mandiant Consulting to notify affected organizations and update Google Security Operations with indicators of compromise so defenders could look for signs of intrusion elsewhere. The company also linked UNC6508 to a broader pattern of PRC-nexus activity and said it had previously seen the group target a US-based research institution in late 2023 through a multistage intrusion that used a REDCap exploit and INFINITERED. That continuity points to a patient, repeat offender model aimed at institutions that often hold sensitive data but lack the layered defenses of larger federal agencies.

The warning lands against a larger threat picture that remains crowded and persistent. Google said it is monitoring 655 threat actors, with 322 targeting organizations in the United States, while healthcare’s share of data-leak-site posts has doubled over the past three years. Google urged stronger third-party identity protections and two-step verification, but the deeper problem is structural: universities, hospitals and labs still depend on sprawling vendor access, aging research software and thinly protected administrative pathways, making them attractive not just because of what they study, but because of how they are built.