Enterprise networks require constant vigilance, and Google just uncovered a textbook example of how patient cyber spies can be when high-value data is on the line. A newly published report from the Google Threat Intelligence Group reveals that a Chinese state-sponsored hacking group spent over a year breaching the servers of premier medical, academic, and military research organizations across North American territory. This is in addition to the Chinese cybercrime network recently sued by Google.
The group, tracked by investigators as UNC6508, targeted an incredibly diverse mix of institutions. We are talking about top-tier clinical providers, health regulatory bodies, and North American military health systems. These facilities employ thousands of professionals and command research budgets reaching deep into the billions, focusing on cutting-edge work like drug trials, molecular discovery, and overall military readiness.
The secret entry point and custom malware
To get inside, the attackers focused their attention on public-facing Research Electronic Data Capture (REDCap) servers. Once they spotted a way in, they deployed a specialized, custom-built malware strain called INFINITERED.
The malware did not make loud, disruptive changes that would instantly trigger automated security alarms. Instead, the actors used the malware for quiet data gathering. It allowed them to harvest administrative login credentials, giving them the keys to move laterally across the internal networks without raising any red flags for more than twelve months.
Tricking the email system
The most fascinating, and troubling, part of the operation involves how the group actually smuggled the stolen data out of the organizations. One might expect the team to resort to traditional hacking tools to download massive blocks of files all at once. However, they manipulated a completely standard feature found in most corporate cloud productivity suites: content compliance rules (via Techradar).
Using the administrative accounts they had compromised, the hackers quietly created a specific email routing rule. They mistyped the name, calling the rule “Patroit,” and programmed it to monitor internal communications for specific keywords, phrases, and text patterns. Whenever an email matched those parameters, the system automatically blind-carbon-copied (BCC) the message to external Gmail accounts controlled by the attackers. It was an incredibly effective way to steal ongoing research in real-time using the network’s own built-in tools.
How Google is cleaning up the mess
Google has already stepped in to disrupt the operation by completely disabling the threat actor’s destination Gmail accounts. However, because the underlying technique exploits standard software functionality rather than a simple software bug, the company is urging enterprise administrators to lock down their environments immediately.
Fortunately, the defense recommendations are easy to follow. Google suggests that organizations handling highly sensitive data enforce phishing-resistant two-factor authentication and shift toward device-bound session credentials to stop session cookie theft in its tracks. Additionally, administrators should consider enrolling critical corporate accounts into advanced security protection programs to ensure a similar compliance trick cannot be pulled off again.
The post Google Catches Chinese Hackers Lurking in US Medical and Defense Networks appeared first on Android Headlines.
