Daylila

Cybersecurity · Tuesday, 16 June 2026

01 · Briefing · what happened

Chinese spies sat inside a research-data platform for over two years — and it touched medicine, the military, and beyond

Cybersecurity 2 min 31 sources

A state-backed group quietly compromised REDCap, a research-data tool trusted across hospitals, universities, and military health institutions, and stole credentials undetected from 2023 until late 2025.

Google’s threat hunters disclosed on Monday that a previously unknown China-linked group, which they track as UNC6508, had been living inside the networks of US and Canadian research institutions for more than two years before anyone noticed [11][17]. The earliest confirmed break-in dates to September 2023; the group stayed active until it was caught in late 2025 [17][9].

The way in matters more than the headline. UNC6508 did not target each institution one by one. It went after a piece of software almost every research institution depends on: REDCap (Research Electronic Data Capture), a web application built at Vanderbilt University and used across the research world to collect and manage clinical and survey data [17][11]. The group exploited internet-facing REDCap servers, then planted custom code — Google calls it INFINITERED — to harvest the administrative credentials flowing through that trusted layer [17][11].

From there the reach was startling. Google and its Mandiant unit say the affected organisations include “world-renowned clinical providers, premier academic centers, North American military health institutions, professional advocacy groups, and health regulatory bodies” — places employing thousands of researchers with budgets in the billions [11]. The stolen material spanned medical research, foreign policy, defence technology, and military readiness — far wider than spies usually cast at a single site [11].

Two details make this more than another breach. First, the group used a quiet exfiltration trick that leaned on legitimate features and ordinary US-based traffic to blend in, rather than noisy malware — which is part of why it sat undetected so long [17]. Second, Google is blunt that what it found is probably “only a fraction of a larger campaign,” and that some suspected compromises are still under investigation [17][11].

For anyone watching from outside the security world, the lesson is not “patch faster,” though patching matters — REDCap shipped several critical fixes back in 2023 [17]. The lesson is what it means when an attacker stops aiming at front doors and aims instead at the shared, trusted foundation that many institutions quietly stand on. When that foundation is the target, every organisation resting on it is exposed at once, and the bill for rebuilding the trust comes years after the trust was spent.

  • A China-linked group sat inside research-institution networks for more than two years (2023 to late 2025) before being found.
  • The way in was REDCap, a research-data platform trusted and used across hospitals, universities, and military health bodies — not any single organisation’s own defences.
  • The stolen data spanned medicine, foreign policy, defence technology, and military readiness, and Google says known victims are likely only a fraction of the campaign.

02 · Lesson · why it matters

The floor everyone stands on, and no one looks down at

Some of the things we trust most are the ones we never see — and when the floor is what gives way, everyone on it falls at once.

The thing they actually attacked

The headline says Chinese spies broke into research institutions. The deeper fact is what they broke into.

They didn’t pick the lock on each hospital, each university, each military lab. They went underneath all of them, to a piece of software those places share: REDCap, the tool researchers use to collect and hold their data.

That tool is a floor. Thousands of institutions built their work on top of it without thinking about it — the way you don’t think about the floor of a building until it cracks.

Trust is something we build things on

We treat trust like a feeling. It is closer to a foundation.

Every institution that used REDCap was, in effect, saying: this layer is sound, so we can put our work on it and get on with the research. That assumption let them move fast. It also meant the assumption was load-bearing.

A foundation you rely on but never inspect is invisible while it holds. You only learn it was holding the whole building up at the moment it fails.

Why hitting the floor reaches everyone

When an attacker aims at a front door, they get one building. When they aim at the floor, they get everyone standing on it — in one move.

That is the difference between this and an ordinary break-in. The spies stole the credentials passing through the shared layer, and from that one position they reached clinical providers, academic centres, military health bodies, and more. Google says the places it found are probably a fraction of the real total.

Nobody was negligent in a way you could point at. Each institution trusted a foundation that the whole field trusted. The shared trust was the strength — and the single thing worth attacking.

The slow, quiet cost of spent trust

Here is the part that doesn’t fit on a clock.

The trust in REDCap took years to build — patch by patch, paper by paper, institution by institution deciding it was sound. The spies spent that trust in seconds, every time a stolen credential let them walk in as if they belonged.

And rebuilding it is slower than either. The group sat undetected for more than two years. Now every institution has to ask not just “are they gone?” but “what did they see, and for how long, and who else was reached through us?” You cannot patch your way back to the certainty you had before you knew. Trust is cheap to spend and expensive to earn back — and the bill arrives long after the spending stopped.

Who is standing on the floor

It is tempting to file this under “spies and labs, not me.”

But the same shape holds up far more than research. The login you use rests on an identity service you never see. Your medical record sits in a system your clinic trusts but didn’t build. The apps on your phone rest on a handful of shared layers underneath, the way those labs rested on REDCap. You are standing on floors too — most of them you have never looked down at.

That isn’t a reason to be afraid of the floor. It is a reason to notice it is there. The people closest to this still don’t know its full size — Google said so plainly. From any single seat, the foundation is mostly out of view; the most honest thing to hold is that the part you can see is smaller than the part you can’t.

03 · Lab · your turn

Build the Floor

Rehearse the trade in trusting a shared foundation — cheaper and stronger together, but one move on the floor reaches everyone standing on it.

04 · Hope · carry this

The same shared foundations that let one attack reach many also let a single team of defenders find the intruder and warn everyone standing on the floor at once.

More from Cybersecurity

The FBI seized the factory behind a million scam links — not the scammers, the machine they all rented A critical Splunk flaw came from a helper service that no one asked to lock its own door Hundreds of trusted software packages were quietly hijacked — the name stayed the same, the recipe didn't

Across the beats

A line was drawn around the ocean's last full fishing grounds. This week it was rubbed out The bet that turns a player against his own team A game nobody plays is the third most-played on Steam right now