Google stated on Tuesday that a hacker group linked to China secretly stole data from US and Canadian academic, medical, and military research institutions for more than a year without being detected.
According to a report released by Google's Threat Intelligence Team, the hackers targeted information regarding defense intelligence, Indo-Pacific military strategy, artificial intelligence, drones, cyber warfare plans, and medical research from September 2023 to November 2025.
Google did not disclose the names of the targeted institutions, but indicated that they cover a wide range of fields, including drug development, clinical trials, public health policy, and military readiness. Collectively, these institutions employ thousands of people and have research funding reaching into the billions of US dollars.
Google said the data theft was carried out by a hacker group known as UNC6508, which is a relatively new and little-known cyber-espionage organization.
Shane McNamara, Deputy Director of Google's Threat Intelligence Team, noted that the organization’s methods in many aspects are similar to Chinese hacker activities observed over the years, focusing on gathering intelligence that may interest the Chinese government.
The Chinese Embassy in the US did not immediately respond to requests for comment. Beijing authorities have consistently denied engaging in or condoning illegal hacking activities.
The related cyberattack can be traced back to as early as September 2023, when hackers exploited vulnerabilities in REDCap servers. REDCap is a web application widely used by some non-profit organizations to create and manage online surveys and databases.
Researchers pointed out that the hackers used custom malware to steal legitimate REDCap login credentials, thereby gaining access to the target networks. They then set up systems to automatically forward emails containing nearly 150 keywords and search terms to Gmail accounts under their control.
REDCap did not respond to requests for comment.
The preset keywords and search terms included the targeted institution staffs’ phone numbers, email addresses, as well as terms related to geopolitics, military strategy, advanced technology, and medical research.
Researchers stated that Google ultimately found multiple US and Canadian institutions had been breached, and has notified them individually.