Google says Chinese hackers breached Workspace security to attack "a diverse set of national, state, and private medical entities," including research and advocacy organizations.

Google GTIG exposes UNC6508, a group linked to the People’s Republic of China that exploits REDCap servers with custom INFINITERATED malware
The attackers stole credentials, exfiltrated sensitive data using manipulated compliance rules, and hid for more than a year.
Gmail accounts linked to the campaign disabled; Administrators are encouraged to implement phishing-resistant MFA, device-bound sessions, and advanced protections.

For more than a year, Chinese state-sponsored threat actors have been lurking in servers belonging to North American academic, medical and military research organizations, deploying custom malware and extracting sensitive files, experts warned.

Google Threat Intelligence Group (GTIG) published a new report detailing the recent work of UNC6508, a People’s Republic of China (PRC) nexus threat actor, who allegedly managed to exploit external Research Electronic Data Capture (REDCap) servers to deploy a custom piece of malware called INFINITERED.

Through this malware they stole login credentials, which allowed them to access the content of the servers and remain undetected for more than a year. They then moved laterally throughout the network, extracting sensitive data using a novel technique of manipulating domain content compliance rules.

“Patriot”

Google says content compliance rules are a “legitimate feature present in many cloud-based enterprise productivity suites.” Using administrator accounts, attackers created specific rules to manage email messages containing predefined sets of matching words, phrases, and text patterns.

They called the rule “Patroit” and tasked it with BCC forwarding certain emails to Gmail addresses controlled by the actors.

Google has since disabled the Gmail accounts associated with this threat actor and this campaign.

In the blog, the researchers gave a fairly extensive list of things administrators should do to ensure they are safe from UNC6508 and similar actors, including enforcing phishing-resistant two-factor authentication, enrolling highly sensitive accounts in the Advanced Protection Program, and enforcing device-bound session credentials with CAA for highly sensitive accounts to prevent cookie theft.

“The campaign targeted a diverse set of national, state and private medical entities,” Google emphasized. “These organizations comprise world-renowned clinical providers, premier academic centers, North American military health institutions, professional advocacy groups, and health regulatory agencies.”

“Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military preparedness. They employ thousands of people with a combined research budget of billions of dollars.”