A built-in Google Workspace feature became a Chinese espionage group’s favourite exfiltration tool

TL;DR

China-linked UNC6508 backdoored REDCap servers at US and Canadian research institutions, then used Google Workspace mail rules to steal email.

A China-linked espionage group spent more than a year inside North American medical, academic, and military research networks, stealing sensitive data and defence email. The attackers got in through a backdoor on REDCap research servers. The exfiltration method was the unusual part: they rewired the victims’ own Google Workspace rules to copy matching messages to an inbox they controlled.

Google’s Threat Intelligence Group laid out the campaign in a report published this week, attributing it with high confidence to a cluster it tracks as UNC6508. The victims span clinical providers, academic centres, military health institutions, advocacy groups, and health regulators across the United States and Canada. Google says it notified the affected organisations and disrupted the group’s infrastructure.

UNC6508 is not a new name. Google first surfaced the group...

Copyright of this story solely belongs to thenextweb.com. To see the full text click HERE