Chinese Hackers Abused Google Workspace Rules to Steal Research and Defense Emails

A Chinese-linked espionage group maintained persistent access to North American medical, academic, and military research networks for over a year, stealing sensitive research and defense communications.

The attackers gained initial access through a backdoor planted on REDCap research servers. REDCap, a web application widely used by universities and research institutions to build and manage online surveys and databases, became the entry point for credential harvesting. Once inside victim networks, the group deployed a sophisticated exfiltration technique: they modified Google Workspace email rules on compromised accounts to automatically forward messages to attacker-controlled addresses.

This method proved effective because it leveraged legitimate cloud infrastructure rules rather than extracting data through traditional channels. The forwarding rules remained difficult to detect, as they appeared as normal user configurations within Google Workspace settings. The attackers could harvest email traffic from target accounts without triggering typical data loss prevention alerts.

The campaign targeted institutions conducting sensitive research in defense and medical fields across North America. The lengthy dwell time, exceeding twelve months, indicates the group successfully evaded detection through careful operational security and by blending their activities into normal email administration.

The attack exploits a trust vulnerability in how organizations manage cloud email systems. Most institutions focus security monitoring on external data exfiltration and network-based threats, but internal email rule modifications often receive less scrutiny. Defenders typically assume compromised accounts pose immediate risks, but attackers who prioritize stealth can maintain access for extended periods.

Organizations using REDCap or similar research platforms should audit account activity on these servers, enforce multi-factor authentication across research infrastructure, and monitor Google Workspace for suspicious forwarding rules. IT teams should log all email rule changes and alert on modifications made outside normal business hours or from unusual locations. Regular credential rotation for accounts with broad network access remains essential for research institutions managing sensitive data.

This intrusion demonstrates how state-sponsored groups continue adap