Chinese hackers used Google Workspace rules to steal research and defence emails

Colleagues, please note: a campaign targeting mailboxes in medical, academic and military research networks has been identified in cybersecurity.
GTIG links it to UNC6508: operators (2023–2025) deployed the INFINITERED backdoor to external REDCap servers and exfiltrated credentials. With admin rights they created a Google Workspace content‑compliance rule that BCC‑copied matching messages to their address.
Recommendations: patch and remove legacy REDCap instances, review forwarding/content‑compliance rules, audit admin logs and enable phishing‑resistant MFA.
Why it matters: native cloud features can become covert data exfiltration channels.
What will you check first?
#cybersecurity #emailsecurity #GoogleWorkspace #REDCap


Latest comments
No comments yet.