China-Linked Hackers Target US and Canadian Research in Massive Cyber Espionage Campaign
June 15, 2026
A China-linked hacking group, UNC6508, spent over a year infiltrating US and Canadian research institutions, focusing on defense, AI, medical research, and military technology.
The campaign began in September 2023 by exploiting REDCap servers, then deployed INFINITERED to harvest credentials, establish persistence, and upgrade access through November 2025.
Attackers used compromised REDCap servers to obtain legitimate credentials and installed custom malware to access networks, later automating email exfiltration of nearly 150 keywords and search terms to a Gmail account they controlled.
The report places the incident within broader cyber threat trends and underscores the need to protect critical research infrastructure.
GTIG recommends mitigations such as two-step verification for administrators, upgrading REDCap to the latest version, and diligent monitoring of audit logs.
The narrative includes dates, actors, and technical details (REDCap, INFINITERED, content compliance rules, UNC6508) to support guidance.
The report emphasizes ongoing collaboration and provides indicators of compromise to aid other organizations in defense.
GTIG published YARA rules and IoCs to help detect INFINITERED activity and related compromises.
Implications span research integrity, data confidentiality, and national security concerns for North American facilities.
Security implications show that espionage-access paths can be repurposed for disruption or patient-safety risks in healthcare contexts.
The breach affected a broad spectrum of research areas—molecular discovery, clinical trials, public health policy, and military readiness—with actionable IoCs and prevention guidance.
Defensive guidance calls for phishing-resistant MFA, monitoring for unauthorized changes, enabling DLP, keeping systems patched, and Google’s provision of IOCs to aid remediation.
Summary based on 16 sources
Get a daily email with more Tech stories
Sources

The Hacker News • Jun 15, 2026
Chinese Hackers Abused Google Workspace Rules to Steal Research and Defense Emails
Economic Times • Jun 15, 2026
Chinese-linked hackers targeted US, Canadian research facilities for a year: Google
Yahoo Finance Canada • Jun 15, 2026
Chinese-linked hackers targeted U.S.,Canadian research facilities for a year, Google says