Post by SANS Institute

A PRC-linked group spent more than two years inside North American military and medical research networks before anyone caught it. Google's Threat Intelligence Group published the findings this week. It deserved more attention than it got. The group, tracked as UNC6508, wasn't fishing broadly. Their collection list covered nearly 150 keywords: defense intelligence, Indo-Pacific operations, AI research, uncrewed systems, offensive cyber programs, and medical research. Military espionage and public health surveillance running through the same institutions simultaneously. The exfiltration method is the part every SaaS administrator needs to understand. UNC6508 created a content compliance rule in Google Workspace that silently BCC-forwarded emails matching their keyword list to a Gmail account they controlled. No noisy malware on endpoints. A legitimate admin feature turned into a persistent data pipe. That technique works against any university, hospital, or defense contractor running Workspace today. The initial access came through REDCap servers, a widely used clinical research platform. The custom malware they deployed, INFINITERED, was built to reinject itself during software upgrades. Patching a compromised server doesn't clean it. SANS Chief AI Officer Rob T. Lee broke down where AI would and wouldn't have helped defenders, and what every security team should do this week: https://lnkd.in/esw47McC