Chinese-linked hackers targeted US, Canadian research facilities for a year: Google Threat Alert

Between September 2023 and November 2025, the hackers sought information related to defense intelligence, military strategy in the Indo-Pacific, artificial intelligence, unmanned vehicles, cyber warfare programs and medical research, Google’s Threat Intelligence Group said in a report. The earliest known activity tied to the campaign dates to September 2023, when the hackers exploited vulnerabilities in servers running REDCap, a web application widely used by nonprofits to build and manage online surveys and databases.

The Threat Activity

Luke McNamara, deputy chief analyst at Google Threat Intelligence Group, said the organization’s methods are broadly consistent with Chinese-linked hacking activity seen over many years, focused on gathering information likely to be of interest to the Chinese government.

Scope & Targeting

The earliest known activity tied to the campaign dates to September 2023, when the hackers exploited vulnerabilities in servers running REDCap, a web application widely used by nonprofits to build and manage online surveys and databases. Using custom-built malicious software, the hackers stole legitimate REDCap login credentials to gain access to the targeted networks. The keywords and search terms included phone numbers and email addresses for people at targeted organizations, as well as terms related to geo-strategic policy, military strategy, advanced technology, and medical research.

Analysis

Organizations should review their exposure and apply available mitigations promptly.

Threat intelligence teams should add the described indicators of compromise to their detection rules, hunting playbooks, and SIEM correlation logic. Network defenders should monitor for the described tactics, techniques, and procedures across their environment, focusing on the MITRE ATT&CK techniques referenced in available reporting. Information sharing with industry partners, ISACs, and government agencies can accelerate collective response. Intelligence analysts should assess whether this activity overlaps with previously tracked threat actors or represents a new campaign. Strategic intelligence briefings should be prepared for leadership to communicate business risk and justify security investments.

Industry observers note that this type of development highlights the ongoing need for defense-in-depth strategies and proactive security posture management. Organizations that invest in regular security assessments and employee training tend to fare better when responding to emerging threats. The security community continues to share indicators and best practices to help defenders stay ahead.

Sources

1. https://economictimes.indiatimes.com/tech/technology/chinese-linked-hackers-targeted-us-canadian-research-facilities-for-a-year-google/articleshow/131747711.cms