AjiNovaAjiNova
Technology

Google Caught a Chinese Hacking Group That Spent Over a Year Stealing Military and AI Research from the US and Canada

For more than two years, a Chinese-linked hacking group quietly burrowed into universities, hospitals, and military research institutions across the United States and Canada — stealing data on AI development, drone warfare, drug discovery, and Indo-Pacific military strategy. Nobody noticed until Google did. Here's how it happened, what was taken, and what it means for the future of research security in an era of great-power competition.

A
AjiNova
5 min read
Google Caught a Chinese Hacking Group That Spent Over a Year Stealing Military and AI Research from the US and Canada
Photo: Photo by Kevin Ku on Unsplash

Sometime in September 2023, a hacker — or a team of hackers — found a vulnerability in a piece of software most people have never heard of. The software is called REDCap. It's a web application used by universities, hospitals, and nonprofits around the world to build and manage online surveys and research databases. Unglamorous. Widely trusted. Poorly defended.

That vulnerability became a door. And for the next two years, through that door walked one of the most methodical cyberespionage campaigns ever documented against academic and medical research institutions in North America.

Google's Threat Intelligence Group revealed the operation on June 15, 2026, attributing the campaign to a hacking group it calls UNC6508 — a relatively new and previously little-known player in the Chinese-linked cyberespionage landscape. What they found inside those two years of activity was not opportunistic theft. It was a disciplined, patient, intelligence-gathering operation targeting some of the most sensitive research being done in the Western world.

How They Got In — and Stayed In

The entry point was REDCap. Using custom-built malicious software, the hackers exploited vulnerabilities in REDCap servers to steal legitimate login credentials from the targeted institutions. With valid credentials in hand, they looked just like regular users. No alarms. No anomalies. Just quiet, steady access.

What they did next was methodical. The hackers set up an automated email forwarding system — one that monitored incoming and outgoing email at the targeted institutions and automatically redirected any message containing any of nearly 150 pre-set keywords and search terms to a Gmail account they controlled.

Those keywords weren't random. They included phone numbers and email addresses for specific individuals at the targeted organisations. They covered terms related to geo-strategic policy, military strategy in the Indo-Pacific, advanced technology development, and medical research. The operation wasn't casting a wide net and hoping for the best. It was fishing for specific information, using a very specific list of bait.

Google eventually identified multiple compromised organisations across both the US and Canada and notified each of them. The full extent of what was taken — which institutions, which research projects, which individuals — has not been made public. Google declined to name the targeted organisations, saying only that their work collectively spanned drug discovery, clinical trials, public health policy, military readiness, and defence intelligence, and that they collectively employed thousands of people with a combined research budget running into the billions of dollars.

What They Were After

The breadth of the target list tells its own story.

The hackers sought information on defence intelligence and military strategy specifically related to the Indo-Pacific — the geopolitical theatre where US-China tensions are most acute, where Taiwan sits, and where the most significant potential military confrontation of the next decade is most likely to unfold.

They targeted artificial intelligence research — the field that both the US and China have identified as the defining technological competition of the century. Whoever leads in AI capability leads in economic output, military effectiveness, and technological influence. Research stolen from a university lab today could compress years off a competitor's development timeline.

They targeted unmanned vehicles — drones, autonomous systems, the technologies that are already reshaping modern warfare in ways that have been documented in every major conflict of the last four years.

They targeted cyber warfare programmes and medical research — the latter covering everything from drug discovery to pandemic preparedness. Medical research represents both intellectual property worth billions of dollars and, in the case of biodefence work, direct national security value.

Luke McNamara, deputy chief analyst at Google Threat Intelligence Group, noted that while UNC6508 is a relatively new group, the sophistication and patience of the campaign reflects strategic intent rather than opportunistic hacking. This was not criminals looking for financial gain. This was a state-linked operation running a long-term intelligence collection programme.

Why This Matters Beyond the Headlines

Stories about Chinese hackers targeting Western institutions have become almost routine. Salt Typhoon. Volt Typhoon. Silk Typhoon. Each new campaign gets a name, a news cycle, and then fades from public attention as the next one emerges.

The risk in that pattern is normalisation — treating systematic, long-term intellectual property theft as background noise rather than as the accumulation of strategic advantage that it actually represents.

What UNC6508 was doing for over two years was not just stealing information. It was mapping the research landscape of its primary geopolitical rival. It was identifying the people doing the most sensitive work, the institutions where breakthroughs were happening, and the specific projects most likely to deliver strategic value. That intelligence — about who to recruit, who to approach, what to build, what shortcuts exist — has a shelf life measured in decades, not news cycles.

For universities and research hospitals, the operational lesson is uncomfortable but unavoidable: being an academic institution with an open, collaborative culture and a globally connected research network is no longer a shield. In fact, it is increasingly a vulnerability. REDCap is used by thousands of institutions worldwide. The entry point UNC6508 used was not exotic. It was a commonly used research tool with a security gap that nobody had prioritised fixing.

The question worth sitting with is not whether this kind of operation will happen again. It will. The question is whether the institutions that hold the West's most strategically valuable research are investing in their security at anything approaching the rate their adversaries are investing in penetrating it.

Based on the evidence so far, the answer appears to be no.

Tags:Chinese HackersUNC6508CyberespionageGoogle Threat IntelligenceREDCapUS Research SecurityCanada CybersecurityMilitary AIIndo-PacificCyber WarfareAcademic SecurityData TheftNational Security
Article Info
AuthorAjiNova
Read time5 min
CategoryTechnology
A
AjiNova
Published by the AjiNova editorial team. Covering technology, startups, AI, software engineering, and emerging innovation.

Need help building software?

Talk to the AjiNova team about web applications, mobile platforms, AI integrations, and cloud solutions.

Start a ProjectMore Articles
Keep Reading
Chat with us