Chinese Espionage Exploits Google Workspace to Steal Military Data

What Happened?

According to an exclusive report by The Next Web, the Chinese espionage group UNC6508 has been targeting REDCap (Research Electronic Data Capture) servers at medical, academic, and military institutions in North America. REDCap is a widely used web platform for capturing and managing data in clinical research, military trials, and academic studies. Developed by Vanderbilt University, REDCap is adopted by over 4,500 institutions worldwide, including hospitals, universities, and government agencies. Attackers exploited a security vulnerability in REDCap (possibly SQL injection or an authentication flaw, though exact details have not been publicly disclosed) to gain initial access to servers. Once inside, they used a legitimate Google Workspace feature: creating automatic forwarding rules in Gmail. They configured these rules to automatically copy incoming and outgoing emails containing keywords related to defense, military research, or personal health data, and forward them to email accounts controlled by the attackers. This exfiltration method is particularly stealthy because the generated traffic is indistinguishable from legitimate organizational traffic, as it uses Google's own infrastructure.

Why Is It Important?

This attack stands out for its sophistication and persistence: hackers remained in the networks for over a year without detection, between early 2025 and mid-2026, according to the report. Using a native Google Workspace feature for exfiltration is a novel tactic that bypasses traditional security tools like firewalls and intrusion detection systems, which typically focus on external malicious traffic. By leveraging a legitimate functionality, attackers exploit the trust organizations place in cloud services. Moreover, the stolen data includes classified defense information, military emails, and clinical research data on experimental treatments, posing a serious risk to national security and intellectual property. Compared to previous attacks, such as the APT10 group's similar living-off-the-land (LotL) techniques in 2018, this incident shows an evolution in Chinese espionage tactics, now integrating legitimate cloud services as an attack vector.

What Will Be the Consequences?

This incident is expected to lead to a thorough review of security policies for Google Workspace usage, especially in government and defense environments. Organizations will need to implement stricter controls on forwarding rules, such as prohibiting automatic forwarding to external domains, and monitor email traffic for anomalies using User and Entity Behavior Analytics (UEBA) tools. In the long term, it could increase regulatory pressure on cloud collaboration platforms to offer more robust insider threat detection tools, such as real-time alerts on changes to forwarding rules. Additionally, this attack may accelerate the adoption of Zero Trust architectures, where no traffic, even originating within the network, is considered trustworthy by default. For REDCap, developers are expected to release security patches, and institutions will reassess their servers' exposure to the internet.

What Should Readers Know?

• The UNC6508 group has been linked to the Chinese government and has focused its attacks on REDCap servers, a medical and military research platform storing highly sensitive data.
• Exfiltration was carried out via automatic forwarding rules in Google Workspace, a legitimate feature that attackers configured to copy emails with sensitive data to external accounts.
• The attack lasted over a year and affected North American networks, including military and defense institutions, as well as academic medical centers conducting government-funded research.
• Organizations should review forwarding rules in their Google Workspace accounts and consider implementing security solutions that detect anomalous behavior in email traffic, such as data exfiltration through legitimate channels.

Recommendations

To mitigate such threats, it is recommended to: (1) periodically audit forwarding rules in all Google Workspace accounts and disable automatic forwarding to external domains; (2) implement security alerts for suspicious forwarding rules via Google Workspace Alert Center or SIEM tools; (3) use multi-factor authentication and risk-based access controls for accounts with administrative privileges; (4) segment networks and limit access to REDCap only to authorized users, preferably via VPN or secure remote access; (5) educate employees about the risks of collaboration features and the importance of reporting unauthorized forwarding rules.