Google revealed Monday that a hacking group linked to China spent more than a year covertly stealing data from academic, medical, and military research institutions in the United States and Canada before anyone detected the intrusion.
According to Google’s Threat Intelligence Group, the operation ran from September 2023 through November 2025. During that time, the hackers pursued information tied to defense intelligence, military strategy in the Indo-Pacific region, artificial intelligence, unmanned vehicles, cyber warfare programs, and medical research.
While Google declined to identify the specific organizations that were targeted, the company said the victims collectively work across a wide range of fields — including drug discovery, clinical trials, public health policy, and military readiness. Together, these institutions employ thousands of workers and manage research budgets totaling billions of dollars.
Google has attributed the operation to a hacking group it refers to as UNC6508, described as a relatively new and little-known cyberespionage actor. Luke McNamara, deputy chief analyst at Google Threat Intelligence Group, noted that the group’s tactics align broadly with Chinese-linked hacking behavior observed over many years — behavior focused on collecting information likely to be of value to the Chinese government.
The Chinese Embassy in Washington did not respond to a request for comment. China has consistently denied involvement in or support for unauthorized hacking operations.
The earliest confirmed activity in this campaign traces back to September 2023, when the hackers took advantage of security flaws in servers running REDCap — a web-based application commonly used by nonprofits to create and manage online surveys and databases. Using specially crafted malicious software, the attackers obtained legitimate REDCap login credentials and used them to access the targeted networks.
Once inside, they configured a system to automatically route emails containing any of nearly 150 specific keywords and search terms to a Gmail account under their control. Those terms included phone numbers and email addresses for individuals at targeted organizations, along with language related to geopolitical strategy, military planning, advanced technology, and medical research.
Google ultimately identified multiple organizations in the U.S. and Canada that had been compromised and notified each of them, researchers said. REDCap did not respond to a request for comment.
