China Exploits Google Email Rules for Year-Long Data Theft from U.S. Medical Research Institutions
A sophisticated cyber espionage campaign attributed to the threat actor known as “UNC6508” has raised alarms within the cybersecurity community. This campaign, which began in September 2023, has targeted North American academic, medical, and military research institutions, exploiting vulnerabilities in Google Workspace to siphon sensitive information over an extended period. The implications of this breach are profound, affecting not only the institutions involved but also national security interests.
The Target: Research Institutions with Military Connections
UNC6508’s focus was not on traditional defense contractors or government agencies. Instead, the group targeted a range of medical research institutions, including world-renowned clinical providers and premier academic centers. These organizations, which also include North American military health institutions and regulatory bodies, possess research budgets that collectively amount to billions of dollars. Their work intersects with national security issues, including military readiness and public health policy.
The targeting of these institutions aligns with historical patterns of espionage linked to the People’s Republic of China, as outlined by Google’s threat intelligence Group (GTIG). The group identified UNC6508’s collection priorities, which included national security, artificial intelligence, and medical research, indicating a strategic focus on areas critical to both defense and public health.
The Entry Point through REDCap
A key aspect of UNC6508’s strategy involved exploiting the Research Electronic Data Capture (REDCap) platform, widely used across the North American medical research community. This web-based tool is designed for managing online databases and surveys, compliant with medical research regulations.
While GTIG could not confirm the exact method of initial access, it noted that UNC6508 was probing for vulnerable legacy versions of REDCap. By exploiting a feature that allows administrators to run older software versions alongside current ones, the attackers effectively turned the platform’s own flexibility against its operators. Once inside the REDCap server, the attackers conducted internal reconnaissance, discovered credentials, and deployed a web shell for persistent access.
The Malware Dubbed INFINITERED
Three months after the initial breach, UNC6508 deployed a custom malware payload named INFINITERED, specifically designed for REDCap environments. This malware was engineered to survive software upgrades, ensuring its persistence within the system.
INFINITERED operates through three modular components. The first is a dropper that intercepts the upgrade process, injecting the malware’s code into new versions of the software. The second component is a credential harvester that captures usernames and passwords during login, encrypting them and storing them within a legitimate REDCap database. The third is a backdoor embedded in REDCap’s custom hooks system, allowing the attackers to execute arbitrary commands and retrieve stolen credentials.
This malware remained undetected for over a year, continuously harvesting sensitive information while evading standard security measures.
A Compliance Rule Named “Patroit”
More than a year after the initial compromise, UNC6508 leveraged the credentials obtained from REDCap to access a domain administrator account. They implemented a novel technique by abusing enterprise email content compliance rules within Google Workspace. These rules are legitimate administrative features designed to manage emails containing specific keywords.
UNC6508 created a compliance rule named “Patroit,” which, notably, contained a misspelling. This rule was configured to silently BCC forward matching emails to a Gmail address controlled by the attackers. This method allowed for a continuous stream of exfiltrated intelligence without generating anomalous outbound connections, making it difficult to detect. The only forensic evidence left behind was the compliance rule itself, which often goes unmonitored in administrative panels.
Operations Security
UNC6508 demonstrated a high level of operational security by utilizing U.S.-based obfuscation networks. They routed traffic through compromised routers, residential proxies, and virtual private servers when accessing both the exfiltration Gmail account and the compromised enterprise administrator account. The attackers also acquired the Gmail account through a mass account creation service, dedicating it solely to email exfiltration. Despite several spelling errors in the keyword list, the operational discipline maintained by UNC6508 for over two years has significantly complicated attribution efforts.
The implications of this breach extend beyond the immediate theft of data. The targeting of medical research institutions raises critical concerns about national security and the integrity of sensitive information. As cyber threats continue to evolve, organizations must remain vigilant and proactive in their cybersecurity measures.
Source: thecyberexpress.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
