Chinese-linked hackers steal research and defense emails by altering Google Workspace rules

AI-Generated Summary

2 sources

6 hours ago

1 views

Chinese-linked hackers steal research and defense emails by altering Google Workspace rules

Photo: The Next Web

Key Points

A China-linked espionage group compromises North American medical, academic, and defense research networks over an extended period.
Attackers gain initial access via a backdoor on REDCap research servers and use it to steal login credentials.
The campaign targets sensitive research information and defense-related email.
For data extraction, the attackers rewire victims’ Google Workspace rules to copy or forward matching messages to their destinations.
The unusual element reported is the use of modified Google Workspace rules as the main exfiltration mechanism.

Security researchers report that a China-linked espionage group accesses North American medical, academic, and defense-related research networks for more than a year, stealing sensitive research information and email tied to defense activities. The intrusion begins with a backdoor placed on REDCap research servers, which the attackers use to obtain login credentials. After establishing access, the group targets email accounts in the affected environments.

A key detail across reporting is the group’s exfiltration technique. Instead of using a conventional data-dumping method, the attackers reconfigure victims’ Google Workspace settings—specifically, by altering the organization’s own Workspace rules. By rewriting these rules, the attackers cause copies of selected messages to be automatically forwarded or copied to attacker-controlled destinations. This approach allows the group to extract information that matches certain criteria while using legitimate tooling and existing email workflow mechanisms.

The reporting emphasizes that the exfiltration method is the unusual part of the campaign, while the initial access leverages compromised REDCap infrastructure and stolen credentials.

How Outlets Covered This Story

THE

The Next Web

A built-in Google Workspace feature became a Chinese espionage group’s favourite exfiltration tool

A China-linked espionage group spent more than a year inside North American medical, academic, and military research networks, stealing sensitive data and defence email. The attackers got in through a backdoor on REDCap research servers. The exfiltration method was the unusual part: they rewired the victims’ own Google Workspace rules to copy matching messages to […] This story continues at The Next Web

8 hours ago

THE

The Hacker News

Chinese Hackers Abused Google Workspace Rules to Steal Research and Defense Emails

A China-linked espionage group hid inside North American medical, academic, and military research networks for more than a year, quietly stealing sensitive research and defense email. The way in was a backdoor on their REDCap research servers that stole login credentials. The exfiltration was the unusual part: the attackers rewired the victims' own Google Workspace rules to copy any message

11 hours ago

We use cookies

This website uses cookies in order to enhance the overall user experience.

Take a look at our Cookies Policy for more information.

Chinese-linked hackers steal research and defense emails by altering Google Workspace rules

Stack Overflow Blog highlights AI agents, open source, and risks in deployment

Ashley Rivera mourns mother’s death after cancer battle

Anthropic releases Claude Fable 5, then limits access due to export rules