Chinese government spies remained hidden in the networks of multiple North American medical and military research organizations for more than a year, deploying custom malware and snooping through Gmail inboxes and stealing sensitive data.
This PRC-nexus espionage crew, which Google tracks as UNC6508, used some particularly noteworthy search terms as they were scanning for data to steal. They included such esoteric topics as drone technology and a viral disease that spreads from mosquitoes to humans.
“It’s one of the most interesting grocery shopping lists of things to collect that I’ve seen from a state-sponsored actor,” Luke McNamara, deputy chief analyst at Google Threat Intelligence Group, told The Register.
“We have defense-related activity, which was a significant bulk of the different terms, or emails related to defense platform systems or companies,” McNamara said. “Some of those were looking for any emails that were coming in or going out that used @ and then a big defense name. Others were specific email addresses of individuals at more niche defense companies.”
…
While most of the terms related to defense and technology, the intruders also searched for some medical research facilities – and the very specific pathogen, “Chikungunya,” a viral disease transmitted to humans from mosquitoes that was responsible for an outbreak in China’s Guangdong province in July 2025.
Google won’t say how many organizations were compromised in this campaign. A Monday report said the operation targeted several national, state, and private medical entities.
“These organizations comprise world-renowned clinical providers, premier academic centers, North American military health institutions, professional advocacy groups, and health regulatory bodies,” according to the report. “Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military readiness.”
…
Incident responders first detected this campaign in early 2025, but told us it dates back to at least 2023. And all of these attacks began with the digital intruders somehow exploiting externally facing REDCap (Research Electronic Data Capture) servers. These servers are primarily used by universities, hospitals, and research institutions to build and manage online databases and surveys, and to store sensitive clinical research data.
The earliest known intrusion happened in September 2023, when UNC6508 compromised a REDCap server belonging to a North American medical research institution. McNamara told us that all of the intrusions followed this same pattern.
…
Why is anonymized clinical research data being held privately in the first place? The idea that we will let other entire civilizations suffer longer or worse, so that we can maintain an economic competitive edge is pure sociopathic insanity.
The same thing happened at Chernobyl. We knew the reactor design was wrong, but we did not warn the soviets. Many people, except my nuclear engineer professor who told us about it, don’t mention that detail.
That is a relatively common narrative, but it’s not factual.
The west most certainly did a great many things to damage and discredit the Soviet Union, but this was not among them. I’m not sure who you mean by “we”, but there is no credible evidence to support the claim that ANY foreign government had that level of intelligence on the RBMK reactor design prior to the international cleanup effort.
If only the western governments were engaged in espionage towards public health ends. Instead they are collaborators attacking the very basis of collective health.
Hey CIA NSA why not hack some information about screw worms?! Or some vaccines?
Why did they hide in Google stuff? The Google will just give all the information for less than what it takes to actually do the work to get in.
