China-Nexus Actor Spies on US Researchers Undetected for a Year

Google's Threat Intelligence Group (GTIG) has disclosed the discovery and disruption of a sustained China-nexus espionage campaign that operated undetected for approximately one year, targeting US research institutions and exfiltrating sensitive data by exploiting credentials for RedCAP — a widely-used clinical and translational research data management platform.

Campaign Overview

The threat actor, tracked by Google under a China-nexus designation, conducted a sophisticated credential theft and persistent access operation against academic research organizations, medical research institutions, and affiliated entities within the United States. The campaign's central focus was the theft of RedCAP authentication credentials, which provided the attackers with access to sensitive research databases, clinical trial data, and collaborative research repositories.

Key campaign characteristics:

Duration: Approximately 12 months of undetected operation before discovery
Target profile: US research institutions, universities, and medical research organizations
Primary vector: RedCAP credential theft and session hijacking
Data exfiltrated: Research data, credentials, and internal communications
Attribution: China-nexus actor with intelligence collection objectives

What Is RedCAP?

REDCap (Research Electronic Data Capture) is a secure web application and workflow methodology built specifically for electronic data capture in research studies. It is used by over 6,000 institutions in 150 countries — including virtually every major US research university and hospital system — to manage:

Clinical trial data
Survey and questionnaire data
Medical records for research purposes
Biomedical research datasets
Grant-funded research project data

The platform stores extraordinarily sensitive information, including patient health data, proprietary research findings, unpublished scientific discoveries, and data with potential national security relevance such as defense-related research, materials science, and emerging technology development.

Attack Methodology

The threat actor's approach reflected careful tradecraft designed to minimize detection:

Phase 1: Credential Harvesting

The campaign used spear-phishing emails crafted to appear as legitimate RedCAP password reset notifications, institutional IT communications, and research collaboration invitations. Victims were directed to convincing replica login pages that captured their RedCAP usernames and passwords.

Phase 2: Persistent Access

With valid credentials, the attackers:

Logged into legitimate RedCAP instances at target institutions
Moved laterally through research networks using compromised accounts
Established additional persistence mechanisms including harvesting credentials for other institutional systems accessible from the research networks
Set up automated data export schedules to quietly exfiltrate research records

Phase 3: Long-Term Collection

The attackers maintained low-profile persistent access by:

Operating during normal business hours to blend with legitimate activity
Limiting data exfiltration rates to avoid triggering volume-based anomaly detection
Regularly rotating the IP addresses used for access via VPN and proxy infrastructure
Avoiding interactions with honeypot files or other obvious detection mechanisms

Google's Discovery and Disruption

Google's Threat Intelligence Group identified the campaign through a combination of:

Analysis of malicious phishing infrastructure overlapping with previously attributed China-nexus actor tooling
Detection of credential-stuffing patterns against RedCAP login portals
Correlation of exfiltration traffic patterns across multiple affected institutions

Upon discovery, Google:

Notified affected institutions through Google's threat intelligence notification program
Shared indicators of compromise (IoCs) with RedCAP administrators and US-CERT
Disrupted the phishing infrastructure by flagging and blocking malicious domains in Google Safe Browsing and Chrome
Coordinated with CISA and the FBI to notify impacted organizations

Intelligence Significance

Research institutions represent high-value targets for Chinese intelligence collection for several reasons:

Pre-publication scientific research — stealing findings before they are published gives strategic competitors an advantage without the cost of conducting the research
Defense-adjacent research — universities conducting federally funded defense research may hold data subject to export controls
Biomedical research — clinical data and pharmaceutical research have both economic and biosecurity value
Personnel data — compromising research networks provides access to information on researchers who may later be recruited as human intelligence assets

The scale and duration of the campaign — a full year of undetected access across multiple institutions — reflects both the sophistication of the threat actor and the limited security monitoring capabilities at many academic research environments.

Indicators of Compromise

Affected organizations should check for:

Logins from unfamiliar geographic locations in RedCAP access logs, particularly from IP ranges associated with VPN services or Asian-Pacific IP space
Unusual data export activity — large or scheduled bulk exports of RedCAP records
Password reset requests that correlate with subsequent logins from new devices
Lateral movement from RedCAP server hosts to adjacent research infrastructure

Recommendations for Research Institutions

Enable multi-factor authentication (MFA) on all RedCAP instances — this single control would have significantly raised the bar for this campaign
Review RedCAP access logs for anomalous login patterns over the past 12–18 months
Implement IP allowlisting for RedCAP administrative access where operationally feasible
Conduct phishing simulation training with specific focus on credential harvesting lures using institutional branding
Deploy network anomaly detection to identify unusual data export volumes
Segment research networks from broader institutional networks to limit lateral movement opportunities
Coordinate with your institution's Information Security Office and report any suspicious activity to CISA's 24/7 operations center

The campaign is a sobering reminder that academic and research environments — often perceived as lower-priority targets than government or financial institutions — are actively targeted by sophisticated state-sponsored actors pursuing long-term strategic intelligence collection objectives.

Campaign Overview

Key campaign characteristics:

Duration: Approximately 12 months of undetected operation before discovery
Target profile: US research institutions, universities, and medical research organizations
Primary vector: RedCAP credential theft and session hijacking
Data exfiltrated: Research data, credentials, and internal communications
Attribution: China-nexus actor with intelligence collection objectives

What Is RedCAP?

Clinical trial data
Survey and questionnaire data
Medical records for research purposes
Biomedical research datasets
Grant-funded research project data

Attack Methodology

The threat actor's approach reflected careful tradecraft designed to minimize detection:

Phase 1: Credential Harvesting

Phase 2: Persistent Access

With valid credentials, the attackers:

Logged into legitimate RedCAP instances at target institutions
Moved laterally through research networks using compromised accounts
Established additional persistence mechanisms including harvesting credentials for other institutional systems accessible from the research networks
Set up automated data export schedules to quietly exfiltrate research records

Phase 3: Long-Term Collection

The attackers maintained low-profile persistent access by:

Operating during normal business hours to blend with legitimate activity
Limiting data exfiltration rates to avoid triggering volume-based anomaly detection
Regularly rotating the IP addresses used for access via VPN and proxy infrastructure
Avoiding interactions with honeypot files or other obvious detection mechanisms

Google's Discovery and Disruption

Google's Threat Intelligence Group identified the campaign through a combination of:

Analysis of malicious phishing infrastructure overlapping with previously attributed China-nexus actor tooling
Detection of credential-stuffing patterns against RedCAP login portals
Correlation of exfiltration traffic patterns across multiple affected institutions

Upon discovery, Google:

Notified affected institutions through Google's threat intelligence notification program
Shared indicators of compromise (IoCs) with RedCAP administrators and US-CERT
Disrupted the phishing infrastructure by flagging and blocking malicious domains in Google Safe Browsing and Chrome
Coordinated with CISA and the FBI to notify impacted organizations

Intelligence Significance

Research institutions represent high-value targets for Chinese intelligence collection for several reasons:

Pre-publication scientific research — stealing findings before they are published gives strategic competitors an advantage without the cost of conducting the research
Defense-adjacent research — universities conducting federally funded defense research may hold data subject to export controls
Biomedical research — clinical data and pharmaceutical research have both economic and biosecurity value
Personnel data — compromising research networks provides access to information on researchers who may later be recruited as human intelligence assets

Indicators of Compromise

Affected organizations should check for:

Logins from unfamiliar geographic locations in RedCAP access logs, particularly from IP ranges associated with VPN services or Asian-Pacific IP space
Unusual data export activity — large or scheduled bulk exports of RedCAP records
Password reset requests that correlate with subsequent logins from new devices
Lateral movement from RedCAP server hosts to adjacent research infrastructure

Recommendations for Research Institutions

Enable multi-factor authentication (MFA) on all RedCAP instances — this single control would have significantly raised the bar for this campaign
Review RedCAP access logs for anomalous login patterns over the past 12–18 months
Implement IP allowlisting for RedCAP administrative access where operationally feasible
Conduct phishing simulation training with specific focus on credential harvesting lures using institutional branding
Deploy network anomaly detection to identify unusual data export volumes
Segment research networks from broader institutional networks to limit lateral movement opportunities
Coordinate with your institution's Information Security Office and report any suspicious activity to CISA's 24/7 operations center

China-Nexus Actor Spies on US Researchers Undetected for a Year

Campaign Overview

What Is RedCAP?

Attack Methodology

Phase 1: Credential Harvesting

Phase 2: Persistent Access

Phase 3: Long-Term Collection

Google's Discovery and Disruption

Intelligence Significance

Indicators of Compromise

Recommendations for Research Institutions

Google Exposes China Espionage Group UNC6508 Lurking in Networks Since 2023

Chinese Hackers Breach REDCap Servers, Steal Medical Research Data

China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

China-Nexus Actor Spies on US Researchers Undetected for a Year

Campaign Overview

What Is RedCAP?

Attack Methodology

Phase 1: Credential Harvesting

Phase 2: Persistent Access

Phase 3: Long-Term Collection

Google's Discovery and Disruption

Intelligence Significance

Indicators of Compromise

Recommendations for Research Institutions

Google Exposes China Espionage Group UNC6508 Lurking in Networks Since 2023

Chinese Hackers Breach REDCap Servers, Steal Medical Research Data

China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade