Google's Threat Intelligence Group disclosed that a hacking operation linked to China infiltrated research institutions across the United States and Canada for more than a year before detection. The campaign - attributed by Google to a group it calls UNC6508 - ran from September 2023 until November 2025, and focused on collecting information spanning defense intelligence, military strategy in the Indo-Pacific, artificial intelligence, unmanned vehicles, cyber warfare programs and medical research.
The search and seizure of data, according to Google's report, encompassed organizations engaged in drug discovery, clinical trials, public health policy and military readiness. Google said these institutions employ thousands of people and operate with combined research budgets that reach into the billions of dollars.
Researchers from Google's Threat Intelligence Group said UNC6508 is a relatively new and not widely recognized actor in cyberespionage, but its tactics mirror patterns long associated with Chinese-linked operations. Luke McNamara, deputy chief analyst at the group, said the group's methods are broadly consistent with Chinese-linked hacking activity seen over many years, focused on gathering information likely to be of interest to the Chinese government.
The earliest activity tied to this campaign dates to September 2023. Google reported that the attackers exploited vulnerabilities in servers running REDCap, a web application commonly used by nonprofit organizations to create and manage online surveys and databases. Using bespoke malicious software, the hackers obtained legitimate REDCap login credentials and used those credentials to penetrate targeted networks.
Once inside, the attackers implemented an automated system to siphon potentially valuable communications. Google said the intruders set up a process that forwarded emails containing nearly 150 specific keywords and search terms to a Gmail account they controlled. The keyword set included contact details such as phone numbers and email addresses for people at the targeted institutions, as well as terms connected to geo-strategic policy, military planning, advanced technology and medical research.
Google said it ultimately identified multiple compromised organizations across the U.S. and Canada and notified each one. The company did not disclose the identities of the targeted institutions.
The Chinese Embassy in Washington did not immediately respond to a request for comment, the report noted. The statement also said Beijing regularly denies carrying out or condoning illicit hacking activity.
Context and implications
- The campaign targeted a mix of academic, medical and military research, indicating cross-sector interest in the stolen material.
- Techniques involved exploiting a widely used research tool - REDCap - and harvesting legitimate credentials rather than relying solely on zero-day exploits.
- Automated email monitoring tied to a sizeable keyword list suggests a broad intelligence collection effort rather than narrow, case-by-case intrusions.
Google's disclosure provides a detailed account of the intrusion methods and the breadth of topics targeted, but it did not identify the affected organizations or quantify the precise volume of data exfiltrated. The company has attributed the campaign to UNC6508 based on its analysis of tactics, techniques and procedures.