‹ ARCHIVE NB-L064 · .log · 2026·07

The most capable attackers no longer need to break in

The most capable attackers no longer need to break in
NB-L064 .log

For more than a year, an espionage group tied to the Chinese state sat inside the networks of several medical research institutions in the United States and Canada, and no one noticed. The first confirmed intrusion dates to September 2023, and the activity continued through November 2025. There was no forced door and no alarm. There was an email forwarding rule, created quietly inside the victims' own system, copying everything of interest to a mailbox the attackers controlled.

This is the part that should keep us up at night. The most dangerous attack is no longer the one that breaks the lock, it is the one that becomes part of the furniture. The group, which Google calls UNC6508, did not bring exotic tools to steal the data. It used what the labs already had and trusted, and turned it against them. Once the intruder becomes part of the system's normal operation, there is nothing strange left to detect.

How they got in, and why they survived the updates

The way in was through REDCap servers exposed to the internet. REDCap, software widely used in the medical community to manage clinical trial databases, holds exactly what these attackers were after: drug research, health data, public health policy. Once inside, they installed custom malware, named INFINITERED by Google's researchers, that did three things.

First, it hid inside REDCap's own files and latched onto the update mechanism: every time administrators updated the software, the malicious code reinjected itself. Installing the fix did not clean the infection, it reinstalled it. Second, it captured usernames and passwords as people logged in, storing them encrypted in the database itself. Third, it opened a back door (a backdoor, a hidden channel for remote control) that received commands disguised as ordinary site traffic.

The betrayal was in the rules the organization wrote itself

The most elegant move, and the most frightening, came next. Instead of exporting files by the gigabyte, which trips alarms, UNC6508 opened the victims' Google Workspace admin console and created a "compliance rule". These rules are a legitimate feature, meant for organizations to govern their own mail, for example to archive messages containing certain words. The attackers created a rule they called "Patroit", searching for a very specific vocabulary: military strategy, advanced technology, medical research, artificial intelligence, uncrewed vehicles, cyber offensive programs, Indo-Pacific operations. Every matching message was copied, silently, to a Gmail account they controlled.

Consider what that means. The tool designed to give organizations control over their own mail became the pipe the information flowed out through. In this part there is no malware to detect, it is a legitimate configuration used for an illegitimate end.

And the target says everything. Not money, not extortion. Knowledge: molecular discovery, clinical drug trials, military readiness, armed forces health institutions. This is the research that decides which medicines you will have ten years from now and how a country defends itself. Classic espionage stole a secret and left. This one sits for years inside the legitimate workflow and slowly drains what defines the next decade.

And it is not a problem only on the other side of the Atlantic. In Portugal, back in 2021 an investigation by the newspaper Público, based on four sources tied to internal security, linked China precisely to cyberattacks against national health institutions, then under investigation by the Judicial Police. The 2026 report from the National Cybersecurity Centre confirms the trend: nine in ten surveyed organizations perceive a heightened risk of suffering an incident. The question is not whether we are a target, it is whether we would notice.

How to close this door

For those who run these systems, Google left the map. The essentials:

  • Audit compliance rules and admin logs for changes no one authorized. This is where the leak lived hidden.
  • Require phishing-resistant two-step authentication (physical keys or equivalent) on administrator accounts, the ones that open everything.
  • Update REDCap to the latest version and fully remove old ones, leaving no remnants where the code reinjects itself.
  • Watch external mail forwarding and set rules that block or alert on sharing sensitive data outside the organization.
  • Treat internet-facing research servers as what they are, a way in, not a forgotten shelf.

The lesson of UNC6508 is not that there is one more piece of malware to fear. It is that the most capable attackers no longer need to break anything. They learned to use our own rules, our own buttons, and our own trust, with the patience of those who know that the hardest thing to see is what looks normal.

Sources: Google Threat Intelligence Group, SecurityWeek.

#StaySafe
🙏🖖

DOMAIN
BRI assistant

Quer saber sobre um projeto, um serviço ou uma notícia recente? Pergunte. Conheço todo o conteúdo deste site.