At a glance: Attackers establish access in research systems and deliberately wait extended periods before exploitation to avoid detection.
Chinese-linked attackers embedded themselves in RedCap servers at research institutions and waited over a year before using their position for data exfiltration. The approach demonstrates a temporally distributed attack strategy designed to circumvent detection mechanisms.
Security investigations have revealed that Chinese-linked attackers compromised RedCap instances (Research Electronic Data Capture) operated at research institutions. The attackers established their access but only actively exploited it after more than a year — a pattern characteristic of longer-term reconnaissance operations.
RedCap is a web-based system for capturing and managing clinical and epidemiological research data. At universities and research institutes, it frequently hosts sensitive information such as patient data, research findings, or biomechanical access credentials. The prolonged waiting period before exploitation suggests deliberate methodology: attackers avoid short-term visible activity and temporally concentrated access patterns to evade detection by security tools or manual analysis.
For CISOs, this case demonstrates that focusing solely on rapid attack detection is insufficient. Longer-term visibility into access patterns, out-of-band communications, and account and permission changes — even over weeks and months — require continuous monitoring. Research institutions should audit RedCap systems for unauthorized configuration changes, administrator activities, and data queries.
Source: www.heise.de · Published 16 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.7.1.