Chinese Hackers Stole US Medical Data for a Year Without Anyone Noticing

A sophisticated hacking campaign tied to China managed to infiltrate prestigious academic and military research networks in the U.S., remaining completely undetected for more than a year, according to a report published by Google Threat Intelligence.

The targets include premier clinical providers, major universities, and military health institutions managing billions of dollars in research funding. The report notes that the group responsible is a Chinese state-linked threat actor tracked as UNC6508.

The hackers targeted critical, cutting-edge data across multiple sectors, including national defense intelligence, Indo-Pacific command operations, uncrewed vehicle systems, cyber offensive programs, artificial intelligence, and advanced medical research.

The security breach began as early as September 2023. Cybercriminals managed to gain initial access by targeting externally facing servers running REDCap (Research Electronic Data Capture). REDCap is a widely used web application designed for managing online databases and surveys for scientific and medical studies. The hackers exploited a specific vulnerability in how the platform handles older code, as the software allows administrators to run legacy systems alongside updated versions.

Once inside the network, the hackers deployed a custom piece of malware named INFINITERED. This bespoke tool was designed to masquerade as legitimate system files, allowing it to blend into the background. The malware operated using three distinct modules. First, it intercepted the software’s upgrade process, meaning that even if an IT administrator updated the software, INFINITERED would automatically inject its malicious code into the new version to survive the update.

Second, it operated as a credential harvester, quietly logging usernames and passwords from login screens, encrypting them, and hiding them inside the legitimate database. Finally, it established a backdoor that executed every single time a page loaded on the site, waiting for encrypted commands from the hackers.

For over a year, the attackers quietly collected login credentials. Eventually, they used these harvested details to compromise high-level domain administrator accounts. With administrative control, UNC6508 manipulated email content compliance rules to secretly blind-carbon-copy (BCC) sensitive corporate emails to accounts under the hackers’ control.

Security experts are urging enterprise network defenders to patch REDCap servers immediately, enforce phishing-resistant two-step verification, and ensure unique passwords are used across different security domains.