By AJ Vicens
June 15 (Reuters) - A Chinese-linked hacking group spent more than a year secretly stealing data from U.S. and Canadian academic, medical and military research institutions, before being detected, Google said on Monday.
Between September 2023 and November 2025, the hackers sought information related to defense intelligence, military strategy in the Indo-Pacific, artificial intelligence, unmanned vehicles, cyber warfare programs and medical research, Google’s Threat Intelligence Group said in a report.
Google did not name the targeted organizations, but said their work covered a broad range of fields, from drug discovery and clinical trials to public health policy and military readiness, and that they collectively employ thousands of people with a combined research budget running into the billions of dollars.
Google has attributed the campaign to a hacking group it calls UNC6508, a relatively new and little-known cyberespionage player. Luke McNamara, deputy chief analyst at Google Threat Intelligence Group, said the organization's methods are broadly consistent with Chinese-linked hacking activity seen over many years, focused on gathering information likely to be of interest to the Chinese government.
The Chinese Embassy in Washington did not immediately respond to a request for comment. Beijing regularly denies carrying out or condoning illicit hacking activity.
The earliest known activity tied to the campaign dates to September 2023, when the hackers exploited vulnerabilities in servers running REDCap, a web application widely used by nonprofits to build and manage online surveys and databases. Using custom-built malicious software, the hackers stole legitimate REDCap login credentials to gain access to the targeted networks. They then set up a system to automatically forward emails containing any of nearly 150 keywords and search terms to a Gmail account they controlled, the researchers said.
REDCap did not respond to a request for comment.
The keywords and search terms included phone numbers and email addresses for people at targeted organizations, as well as terms related to geo-strategic policy, military strategy, advanced technology, and medical research.
Google eventually identified multiple compromised organizations across the U.S. and Canada and notified each of them, the researchers said.
(Reporting by AJ Vicens in Detroit; Editing by Sanjeev Miglani)
