China-Linked Hackers Target US and Canadian Research in Massive Cyber Espionage Campaign

June 15, 2026
China-Linked Hackers Target US and Canadian Research in Massive Cyber Espionage Campaign
  • A China-linked hacking group, UNC6508, spent over a year infiltrating US and Canadian research institutions, focusing on defense, AI, medical research, and military technology.

  • The campaign began in September 2023 by exploiting REDCap servers, then deployed INFINITERED to harvest credentials, establish persistence, and upgrade access through November 2025.

  • Attackers used compromised REDCap servers to obtain legitimate credentials and installed custom malware to access networks, later automating email exfiltration of nearly 150 keywords and search terms to a Gmail account they controlled.

  • The report places the incident within broader cyber threat trends and underscores the need to protect critical research infrastructure.

  • GTIG recommends mitigations such as two-step verification for administrators, upgrading REDCap to the latest version, and diligent monitoring of audit logs.

  • The narrative includes dates, actors, and technical details (REDCap, INFINITERED, content compliance rules, UNC6508) to support guidance.

  • The report emphasizes ongoing collaboration and provides indicators of compromise to aid other organizations in defense.

  • GTIG published YARA rules and IoCs to help detect INFINITERED activity and related compromises.

  • Implications span research integrity, data confidentiality, and national security concerns for North American facilities.

  • Security implications show that espionage-access paths can be repurposed for disruption or patient-safety risks in healthcare contexts.

  • The breach affected a broad spectrum of research areas—molecular discovery, clinical trials, public health policy, and military readiness—with actionable IoCs and prevention guidance.

  • Defensive guidance calls for phishing-resistant MFA, monitoring for unauthorized changes, enabling DLP, keeping systems patched, and Google’s provision of IOCs to aid remediation.

Summary based on 16 sources


Get a daily email with more Tech stories

More Stories