Ethical Hacking News
A recent report by Google's Threat Intelligence Group has exposed a sophisticated cyber espionage campaign carried out by a China-linked hacking group. The group exploited vulnerabilities in the Google Workspace rules to steal sensitive research and defense emails from multiple organizations across the United States and Canada. This article will provide an in-depth analysis of the campaign, its methods, and recommended steps for organizations to protect themselves against email-forwarding-rule abuse.
The Google Threat Intelligence Group (GTIG) has exposed a sophisticated cyber espionage campaign carried out by a China-linked hacking group. The campaign, called UNC6508, exploited vulnerabilities in Google Workspace rules to steal sensitive research and defense emails from organizations across the US and Canada. The hackers used custom-built malware, INFINITERED, which trojanized REDCap's system files and allowed them to harvest usernames and passwords. The attackers exploited content compliance rules to silently forward sensitive emails to an attacker-controlled Gmail address. This is the first time a China-linked actor has used domain content compliance rules to achieve email-forwarding-rule abuse. The campaign highlights the growing threat of state-backed attacks against defense organizations, research institutions, and healthcare providers.
In a shocking revelation, a recent report by Google's Threat Intelligence Group (GTIG) has exposed a sophisticated cyber espionage campaign carried out by a China-linked hacking group. The group, identified as UNC6508, successfully exploited vulnerabilities in the Google Workspace rules to steal sensitive research and defense emails from multiple organizations across the United States and Canada.
The campaign, which began around September 2023, involved the use of a custom-built malware known as INFINITERED, which trojanized REDCap's own system files. This allowed the hackers to harvest usernames and passwords from login pages and store them in local database tables. The malware also enabled the attackers to deploy a backdoor, taking commands through HTTP cookies and running on every page load.
What is particularly concerning about this campaign is the way in which the hackers exploited content compliance rules, a legitimate Google Workspace admin feature that scans mail for keywords and can copy or forward matching messages. By creating a rule with misspelled keywords, such as "Patroit," the attackers were able to silently BCC'ed sensitive emails to an attacker-controlled Gmail address, which was later disabled by Google.
This is not the first time that China-linked hackers have been accused of using email-forwarding-rule abuse to steal sensitive information. However, what makes this campaign noteworthy is the use of domain content compliance rules to achieve this goal, a method that Google's GTIG had not seen before from a China-linked actor.
The attackers' modus operandi was to map keywords related to their collection priorities, including geo-strategic policy, military strategy and equipment, advanced technology including AI and uncrewed vehicles, offensive cyber programs, and medical research. One term stood out for its specificity, "chikungunya," the mosquito-borne virus behind a 2025 outbreak in China's Guangdong province.
The campaign highlights the growing threat of state-backed attacks against defense organizations, research institutions, and healthcare providers. It also underscores the importance of robust email security measures, including content compliance rules and secure authentication protocols.
In response to this campaign, Google has notified the affected organizations and disrupted the group's infrastructure. However, it is clear that more needs to be done to prevent similar attacks in the future. As such, the article will provide guidance on how organizations can protect themselves against email-forwarding-rule abuse and other types of cyber threats.
The recommended steps include starting with REDCap, patching externally facing servers and removing old versions outright, reviewing Workspace or equivalent content compliance and mail-forwarding rules for any suspicious activity, checking admin audit logs for changes to rules, pulling GTIG's published indicators, hunting for INFINITERED malware, and implementing phishing-resistant MFA on administrator accounts.
In conclusion, the exploitation of Google Workspace rules by Chinese hackers is a serious security threat that highlights the need for robust email security measures. By understanding how these attacks work and taking steps to prevent them, organizations can significantly reduce their risk of being targeted.
Related Information:
https://www.ethicalhackingnews.com/articles/Unveiling-the-Insidious-Campaign-Chinese-Hackers-Exploitation-of-Google-Workspace-Rules-to-Steal-Sensitive-Research-and-Defense-Emails-ehn.shtml
https://thehackernews.com/2026/06/chinese-hackers-abused-google-workspace.html
Published: Thu Jun 18 00:15:16 2026 by llama3.2 3B Q4_K_M
