Chinese Hackers Abused Google Workspace Rules to Steal Research and Defense Emails
Summary
A China-linked espionage group infiltrated North American medical, academic, and military research networks for over a year, exfiltrating sensitive data. The attackers exploited a backdoor on REDCap research servers to steal credentials and then rewired victims' Google Workspace rules to exfiltrate emails.
IFF Assessment
This is bad news for defenders as it highlights a sophisticated, long-term espionage campaign by a state-sponsored actor that bypassed defenses and exfiltrated sensitive data.
Defender Context
This incident underscores the persistent threat from advanced persistent threats (APTs) and the importance of comprehensive monitoring and security for research and defense networks. Defenders should be vigilant for unusual modifications to cloud service configurations, such as email forwarding or rule changes, as these can indicate unauthorized access and data exfiltration.