A Chinese-linked hacking group spent more than a year secretly stealing data from US and Canadian academic, medical, and military research institutions before being detected, Google said on Monday.
Between September 2023 and November 2025, the hackers sought information related to defense intelligence, military strategy in the Indo-Pacific, artificial intelligence, unmanned vehicles, cyber warfare programs, and medical research, according to Google’s Threat Intelligence Group.
Google didn't name the targeted organizations, but said their work covered a broad range of fields — from drug discovery and clinical trials to public health policy and military readiness. The institutions collectively employ thousands of people with a combined research budget running into the billions of dollars.
Google attributed the campaign to a hacking group it calls UNC6508, a relatively new and little-known cyberespionage player. Luke McNamara, deputy chief analyst at Google Threat Intelligence Group, said the group’s methods are broadly consistent with Chinese-linked hacking activity seen over many years. They're focused on gathering information likely to be of interest to the Chinese government.
The Chinese Embassy in Washington didn't immediately respond to a request for comment. Beijing regularly denies carrying out or condoning illicit hacking activity.
The earliest known activity tied to the campaign dates to September 2023, when the hackers exploited vulnerabilities in servers running REDCap, a web application widely used by nonprofits to build and manage online surveys and databases. Using custom-built malicious software, the hackers stole legitimate REDCap login credentials to gain access to the targeted networks.
They then set up a system to automatically forward emails containing any of nearly 150 keywords and search terms to a Gmail account they controlled. The keywords included phone numbers and email addresses for people at targeted organizations, as well as terms related to geo-strategic policy, military strategy, advanced technology, and medical research.
Google eventually identified multiple compromised organizations across the U.S. and Canada and notified each of them, the researchers said. REDCap didn't respond to a request for comment.
"The organization’s methods are broadly consistent with Chinese-linked hacking activity seen over many years, focused on gathering information likely to be of interest to the Chinese government," said Luke McNamara, deputy chief analyst at Google Threat Intelligence Group.
The campaign highlights the persistent threat of state-sponsored cyberespionage targeting Western research institutions. For Filipino researchers and institutions that collaborate with US and Canadian partners, the incident serves as a reminder of the importance of cybersecurity in protecting sensitive data.