Google disclosed on Monday that a hacker group it identified as having ties to China had secretly invaded and stolen data from multiple scientific research institutions in the United States and Canada for more than a year, targeting universities, medical and military research units. The operation lasted from September 2023 to November 2025. During this period, hackers carried out intelligence theft activities in the fields of defense intelligence, military strategy in the Indo-Pacific region, artificial intelligence, unmanned systems, cyber warfare projects, and medical scientific research.

Google's threat intelligence team stated in its latest report that the names of the organizations attacked have not been released to the public, but the research scope of these units ranges from drug discovery and clinical trials to public health policy and military readiness, involving thousands of personnel and a combined scientific research budget of billions of dollars. Google attributed this action to its internal hacker group numbered "UNC6508", calling it a relatively new but little-known cyber espionage group. Its modus operandi is highly consistent with the techniques and goals of hacking activities that have been classified as "China-related" for many years, focusing on intelligence and research results that are suspected to arouse the interest of the Chinese government.

The Chinese Embassy in Washington did not immediately respond to a request for comment. Beijing has always denied carrying out or condoning any illegal hacking activities, and when similar accusations arise, it usually emphasizes that it is also a victim of cyber attacks, calling on all countries to address cybersecurity challenges through dialogue and cooperation.

Google’s investigation shows that the earliest known signs of activity in this espionage operation date back to September 2023. At that time, the attackers exploited a security vulnerability in the server running REDCap to launch the intrusion. REDCap is a web application widely used in non-profit organizations and is often used to build and manage online questionnaires and scientific research databases. The hackers used homemade malware to steal legitimate REDCap login credentials, sneak into the target network without triggering regular alerts, and then set up an automated system to forward emails containing specific keywords and search terms to the Gmail account they controlled to continuously collect sensitive information.

The report pointed out that Google researchers found that these keywords and search terms were close to 150, including the phone numbers and email addresses of multiple personnel within the attacked organization, as well as professional terms related to geostrategic policy, military strategy, cutting-edge technology and medical research. Through this mechanism, hackers were able to screen and export a large amount of email communications closely related to defense, technology, and medical issues for more than a year. REDCap did not respond to questions about attacks and exploits.

Google said it eventually identified a number of organizations that had been compromised in the United States and Canada, and notified relevant units one by one to help them identify intrusion paths, block exploited system vulnerabilities, and take follow-up protective measures. Although the specific victim organization and loss details have not yet been disclosed, this incident is regarded as another long-term infiltration operation targeting high-value scientific research and defense intelligence, highlighting the continued rise in the risks of transnational cyber espionage in the academic, medical and military fields.