Chinese Hackers Used Google Workspace Rules to Steal Emails

Robert Moore · 2026-06-15

A China-linked espionage group hid inside North American medical, academic, and military research networks for more than a year, quietly stealing sensitive research and defense emails. The way in was a backdoor on their REDCap research servers that stole login credentials. The exfiltration was the unusual part: the attackers rewired the victims' own Google Workspace rules to copy any message. ### How the Attack Worked This wasn't your typical hack. The attackers didn't break in through a front door. Instead, they planted a backdoor on REDCap servers, which are commonly used by researchers to manage clinical trials and studies. Once they had stolen login credentials, they didn't just grab data and run. They did something smarter. They modified the victims' Google Workspace rules. Think of it like this: you set up your email to automatically forward important messages to your assistant. Now imagine someone silently changes that rule so copies of every email go to them, too. That's exactly what happened here. - The attackers gained access through compromised REDCap servers. - They stole login credentials for Google Workspace accounts. - They altered existing email routing rules to forward sensitive data. ### Why This Matters for Research Networks Medical and academic institutions hold some of the most valuable data out there. We're talking about research on vaccines, defense technologies, and military strategies. This data is worth millions in USD, and protecting it is critical. For over a year, the attackers were inside networks without being detected. That's a long time to siphon information. The victims likely had no idea their own email rules were being used against them. It's a reminder that even trusted tools can be turned into weapons. ### Lessons for Security Professionals If you're in charge of security for a research organization, this story should hit close to home. Here's what you can do: - Audit your Google Workspace rules regularly. Look for changes you didn't make. - Use multi-factor authentication to protect login credentials. - Monitor for unusual data flows, like unexpected email forwarding. I've seen too many teams focus on external threats while ignoring internal misconfigurations. This attack shows that a simple rule change can be more dangerous than a brute-force attempt. ### The Bigger Picture This espionage group was patient. They didn't rush. They waited for the right moment to strike, and they used the victims' own systems against them. It's a sobering thought for anyone who thinks their network is secure. For professionals using antidetect browsers, this is a wake-up call. Your browser might hide your digital fingerprints, but it won't protect you from compromised accounts. You need a layered approach: strong passwords, regular audits, and a healthy dose of skepticism. In the end, the best defense is awareness. Know what your systems are doing, and don't assume they're safe just because they're familiar.