Published: · Region: North America · Category: cyber

China-Linked Hackers Turn Google Workspace Feature into Quiet Spy Channel for U.S. Research Labs

Security researchers say a China-linked group breached North American research networks via the REDCap survey platform, then abused a legitimate Google Workspace rule feature to secretly BCC outgoing emails containing nearly 150 sensitive keywords. The campaign shows how state-backed operators are turning trusted cloud tools into surveillance infrastructure, with scientists and research institutions unknowingly helping exfiltrate their own data.

A feature designed to make corporate email more efficient has been quietly turned into a listening post for espionage. Cybersecurity researchers have disclosed that a China‑linked hacking group infiltrated North American research networks via the REDCap survey and data‑capture platform, then used Google Workspace’s powerful rule system to automatically blind‑carbon‑copy emails containing nearly 150 targeted keywords to attacker‑controlled accounts.

According to the technical analysis, the operators first compromised REDCap instances used by research organizations—software widely deployed in healthcare, academia and scientific collaborations to manage studies and sensitive datasets. Once inside, they harvested credentials and pivoted into Google Workspace environments, where many institutions run email and document services. There, instead of dropping noisy malware, they configured legitimate email routing rules to forward copies of any messages matching a long list of terms.

The people most directly exposed are researchers and staff at the affected institutions—scientists discussing experiments, grant applications, partnerships and potentially export‑controlled technologies, as well as administrators handling contracts and compliance. Because the exfiltration rode on top of trusted cloud features, nothing obvious flagged that copied emails were quietly flowing out the back door. For those institutions, the breach is not just an IT incident; it is a blow to intellectual property protection and, in some cases, to national security oversight.

Strategically, the campaign shows how state‑linked actors are adapting to a world where organizations increasingly outsource core infrastructure to a handful of cloud providers. Rather than relying solely on malware that defenders can detect and block, attackers are abusing built‑in automation systems—features that were designed to help enterprises filter, route and archive communications. By building espionage inside the rules of Google Workspace itself, the attackers turned the target’s own email system into the exfiltration tool.

The use of a nearly 150‑keyword filter is a clue to intent and sophistication. Such lists are typically tuned to capture discussions of specific technologies, projects, or funding programs rather than casting a random net. That suggests a focus on particular research areas, possibly including advanced materials, biotechnology, or dual‑use systems with both civilian and military applications—domains where Western laboratories hold an edge that Beijing has long sought to narrow.

For policymakers, the breach underlines a hardening reality: defending sensitive research is no longer just about air‑gapping defense labs or tightening export‑license checks. Universities and hospitals—places built for openness and collaboration—have become front‑line targets in strategic competition. A single misconfigured survey platform or cloud app can give foreign intelligence services visibility into years’ worth of work, grant pipelines and emerging partnerships.

The attack also places pressure on cloud providers. Google Workspace and similar platforms have advertised powerful automation as a selling point; now that the same tools are being weaponized for espionage, customers will demand better ways to detect and constrain abusive rules without breaking legitimate workflows. Quiet surveillance campaigns like this one show that the weakest link may not be the cloud’s perimeter, but the trust placed in what happens once you are inside.

Key signs to watch next include whether additional institutions disclose related compromises, whether Google and REDCap’s maintainers push out new safeguards or alerting features, and how U.S. and Canadian authorities frame the incident—pure cybercrime, or part of a broader pattern of state‑directed collection. The answer will shape how much pressure governments put on research institutions to harden their digital environments, and how seriously they treat cloud misconfigurations not as IT nuisances but as potential national‑security liabilities.

Sources

Related Coverage

NORTH AMERICA

B-52 Crash Exposes U.S. Strategic Bomber Vulnerability in Mojave Desert

A U.S. Air Force B-52 Stratofortress crashed shortly after takeoff from Edwards Air Force Base in California’s Mojave Desert at 11:20 a.m. local time, leaving wreckage and urgent questions about one of America’s core nuclear-capable aircraft. The incident puts flight safety, readiness and deterrence optics under fresh scrutiny just as Washington leans heavily on its strategic arsenal in crises with Iran and Russia.
GLOBAL

Iran‑linked hacker leak exposes LA Metro SCADA backups and Israeli credentials, raising critical infrastructure risk

Investigators say a staging server used by the Iranian‑linked group ‘Ababil of Minab’ was left wide open, exposing 5 GB of victim data including LA Metro industrial control backups and credentials for multiple Israeli organizations. The discovery reveals how messy, unsecured hacker infrastructure can leave sensitive transport and utility systems vulnerable on both sides of an escalating cyber confrontation.
GLOBAL

North Korea’s Hacker Army Targets Developers to Steal Keys, Crypto and Corporate Access

Security researchers are tracking a North Korea-linked campaign that has sent more than 250 phishing emails to staff at nearly 100 organizations, targeting developers where they work—GitHub, VS Code, npm, Packagist and crypto tooling—to steal credentials, wallet data and access keys. The effort turns everyday coding workflows into an entry point for financial theft and potential supply-chain compromise.
WARNING

Reports: U.S. B‑52 Strategic Bomber Crashes After Takeoff From Edwards Air Base

OSINT channels report a U.S. Air Force B‑52 Stratofortress crashed shortly after takeoff from Edwards Air Force Base around 21:30 UTC, with no confirmed word on the crew. Loss of a nuclear‑capable bomber on U.S. territory, even in training, forces a top‑level safety and readiness review and will be watched by adversaries calibrating U.S. strategic air posture.
WARNING

Reports: Iranian-Linked Hackers Exposed After Breach of LA Metro SCADA Backups

Cyber investigators say an Iranian actor left open a staging server holding Los Angeles Metro SCADA backups and data from multiple Israeli organizations, confirming access to sensitive operational systems. The breach exposes how deeply foreign groups are reaching into U.S. transit infrastructure and Israeli networks, raising questions about contingency planning, insurance exposure, and potential for disruptive follow-on attacks.
FLASH

Ukraine drone campaign knocks out one‑third of Russian refining

Energy Intelligence estimates Ukraine’s drone strikes have disabled about one‑third of Russia’s refining capacity, hitting 8 of the 10 largest refineries. This represents a major structural shock to Russian refined product output and export capacity, tightening global diesel and gasoline balances.