The Google Threat Intelligence Group (GTIG) has reported a complex cyber campaign linked to UNC6508, a threat actor associated with the People's Republic of China. This campaign has focused on institutions within the North American academic, medical, and military research sectors. The actor remained undetected for over a year, compromising web applications and deploying custom malware to access sensitive internal systems.
GTIG has disrupted the malicious infrastructure connected to this threat actor and collaborated with Mandiant Consulting to notify affected organizations. They have provided assistance in remediation efforts and updated Google Security Operations (SecOps) to help identify indicators of compromise (IOCs) within networks.
Campaign Overview
The targeted entities include prominent clinical providers, academic centers, military health institutions, and regulatory bodies, all engaged in diverse areas of medical research. The earliest known compromise was identified in September 2023, with the threat actor exploiting REDCap (Research Electronic Data Capture) servers to capture login credentials using custom malware named INFINITERED.
After gaining access, UNC6508 utilized sophisticated operational security techniques to conceal their activities, including manipulating domain content compliance rules for data exfiltration.
Prevention and Remediation Strategies
GTIG recommends several security measures for organizations to mitigate similar threats:
- Secure Admin Accounts: Implement phishing-resistant 2-Step Verification (2SV) for administrator accounts.
- Advanced Protection: Enroll sensitive accounts in advanced protection programs.
- Prevent Cookie Theft: Use Device Bound Session Credentials (DBSC) to prevent session hijacking.
- Monitor Audit Logs: Enable audit logs for data changes.
- Control Data: Establish Data Loss Prevention (DLP) rules to manage sensitive data sharing.
- Patch REDCap: Ensure REDCap installations are fully updated and remove older versions.
Details of the Compromise
The attack chain initiated with the exploitation of a REDCap server, leading to the deployment of INFINITERED three months later. This malware stealthily recorded user credentials and maintained persistence through software upgrades. The threat actor then pivoted to a domain admin account and created a compliance rule to forward sensitive emails to a controlled Gmail account.
Malware Functionality
INFINITERED operates through three main components:
- Dropper and Upgrade Interception: Injects malicious code during REDCap upgrades.
- Credential Harvester: Captures usernames and passwords from login requests.
- Backdoor: Allows remote command execution via a command and control (C2) mechanism.
Operational Security Techniques
UNC6508 employed advanced operational security measures, including the use of obfuscation networks to mask their activities and maintain a low profile. This strategy complicated detection efforts and hindered accurate attribution.
Attribution and Threat Assessment
GTIG attributes this campaign to UNC6508 with high confidence, based on the consistent use of the INFINITERED backdoor and the specific targeting of sectors aligned with PRC state-sponsored espionage interests.
Indicators of Compromise (IOCs)
To assist organizations in identifying potential threats, GTIG has provided a list of IOCs, including relevant email addresses and file hashes associated with the malware.
