Bottom line: Attackers remained hidden in research networks for over a year and diverted research and defense emails through configured Google Workspace rules instead of using classic exfiltration channels.
A China-linked espionage group infiltrated North American medical, scientific, and defense networks via backdoors on REDCap servers and used manipulated Google Workspace email rules for data exfiltration.
A China-linked espionage group infiltrated networks at North American medical, university, and defense institutions. The compromise remained active for longer than a year and enabled the theft of confidential research and defense correspondence.
Initial access was achieved through a backdoor on REDCap servers, a widely used platform for clinical research data management. Through this backdoor, credentials were compromised and leveraged for lateral movement into Google Workspace environments.
What is notable is the exfiltration method: the attackers reconfigured forwarding rules in the compromised Google Workspace accounts to automatically redirect messages to external addresses. This exploited the victims’ existing email infrastructure and made forensic detection more difficult compared to traditional exfiltration patterns such as data transfer over network channels.
For CISOs, this case underscores the importance of monitoring email forwarding rules and access controls on configuration changes in cloud collaboration services. The use of REDCap environments as a threat vector requires additional segmentation and monitoring of critical research infrastructure.
Source: thehackernews.com · Published June 15, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.