Full Report
A China-linked espionage group hid inside North American medical, academic, and military research networks for more than a year, quietly stealing sensitive research and defense email. The way in was a backdoor on their REDCap research servers that stole login credentials. The exfiltration was the unusual part: the attackers rewired the victims' own Google Workspace rules to copy any message
Analysis Summary
# Threat Actor: STIBNITE (Unspecified China-linked Group)
## Attribution & Identity
* **Origin:** China-linked.
* **Classification:** State-sponsored Espionage (APT).
* **Known Associations:** Linked to Chinese intelligence interests, specifically focusing on intellectual property and defense-related research.
## Activity Summary
The actor maintained a persistent presence within North American research networks for over a year. The campaign focused on the long-term exfiltration of sensitive research data and internal communications. The most notable aspect of this campaign was the exploit of a specific research management platform to gain initial entry and the use of legitimate cloud service configurations to bypass traditional data loss prevention (DLP) systems.
## Tactics, Techniques & Procedures
* **Initial Access - Exploitation of Public-Facing Application:** Leveraged an undisclosed vulnerability or backdoor within REDCap (Research Electronic Data Capture) servers.
* **Credential Access:** Utilized a backdoor on the REDCap servers specifically designed to harvest login credentials from legitimate users.
* **Persistence & Exfiltration - Traffic Signaling/Redirection:** Configured malicious forwarding rules within the victims' **Google Workspace** environments. This allowed the actors to BCC ("blind carbon copy") or redirect sensitive incoming/outgoing emails to actor-controlled accounts.
* **Evasion:** By using the victim's own Google Workspace infrastructure for exfiltration, the actor avoided triggering alerts related to unusual outbound traffic or connections to known malicious Command and Control (C2) IPs.
## Targeting
* **Sectors:** Medical Research, Academic Institutions, Military/Defense Research.
* **Geography:** North America (specifically the United States and potentially Canada).
* **Victims:** Organizations utilizing the REDCap platform for clinical and defense research.
## Tools & Infrastructure
* **REDCap Backdoor:** A custom-built or modified backdoor integrated into the REDCap research server environment used for credential harvesting.
* **Google Workspace Rules:** Leveraging native SaaS administrative/user rules as a "living-off-the-cloud" exfiltration mechanism.
* **Infrastructure:** Actor-controlled email accounts used as drops for intercepted messages (Specific addresses not provided in the summary).
## Implications
* **Strategic Loss:** The theft of academic and medical research provides the Chinese state with a shortcut to technological parity and undermines the competitive advantage of North American research institutions.
* **Supply Chain/Software Concentration:** The targeting of REDCap—a widely used tool in the medical community—demonstrates a calculated move to compromise a "single point of failure" used by multiple high-value targets.
* **Detection Challenges:** The use of native cloud rules for exfiltration highlights a gap in traditional network-centric security monitoring.
## Mitigations
* **Platform Auditing:** Periodically audit REDCap installations for unauthorized code modifications or unusual file changes.
* **SaaS Configuration Monitoring:** Implement alerting for the creation of new mail forwarding or transport rules within Google Workspace/Admin Console.
* **Credential Hygiene:** Enforce Multi-Factor Authentication (MFA) across all research portals to mitigate the impact of harvested credentials.
* **Log Analysis:** Review Google Workspace "Audit Logs" specifically for `edit_forwarding_rule` or `create_filter` events originating from unexpected IP addresses or at unusual times.