Chinese-linked hackers targeted US, Canadian research facilities

A Chinese-linked hacking group spent more than ⁠a ⁠year secretly stealing data from US and Canadian academic, medical and military research institutions, before being detected, Google said.

Between September 2023 and November 2025, the hackers sought information related ‌to defense intelligence, military strategy in the Indo-Pacific, ‌artificial ‌intelligence, unmanned vehicles, cyber warfare programs and ‌medical research, Google’s Threat Intelligence Group said in ⁠a report.

Google did not name the targeted organizations, but said their work covered a broad range of fields, from drug discovery and clinical trials to public health policy and military readiness, ​and that they collectively employ thousands of people with a combined research budget running into the billions of ⁠dollars.

Google has attributed the campaign to a hacking group it calls UNC6508, a relatively new and little-known cyberespionage player. 

Luke McNamara, deputy chief analyst at Google Threat Intelligence Group, said the organisation's methods are broadly consistent with Chinese-linked hacking activity seen over many years, focused on gathering information likely to be of interest to the Chinese government.

The Chinese Embassy in Washington did not immediately respond ​to a request for comment. Beijing regularly ⁠denies carrying out or condoning illicit hacking activity.

The ⁠earliest known activity tied to the campaign dates to September 2023, when the hackers exploited ​vulnerabilities in servers running REDCap, a web application widely used by ‌nonprofits to ⁠build and manage online surveys and databases.

Using custom-built malicious software, the hackers stole legitimate REDCap login credentials to gain access to the targeted networks.

They then ‌set up a system to automatically forward emails containing any of nearly 150 keywords and search terms to a Gmail account they controlled, the researchers said.

REDCap did not respond to a request ​for comment.

The keywords and search terms included phone numbers and email addresses for people at targeted organisations, as well as terms related to geo-strategic policy, military strategy, advanced ‌technology, and ⁠medical research.

Google eventually identified multiple ​compromised organisations across the US and Canada and notified each of them, the researchers said.