What did Google find about Chinese-linked hackers?
Google's Threat Intelligence Group reported on June 15, 2026 that a Chinese-linked hacking group spent more than a year secretly stealing data from US and Canadian research institutions. The group, which Google calls UNC6508, is described as a relatively new and little-known cyberespionage player. The targeted institutions covered academic, medical, and military research.
Google did not name the specific organizations. It said their work ranged from drug discovery and clinical trials to public health policy and military readiness. Collectively, these organizations employ thousands of people and carry a combined research budget running into the billions of dollars.
When did the UNC6508 campaign begin and end?
The campaign ran from September 2023 to November 2025 — more than 14 months. According to Google's report, the earliest known activity dates to September 2023, when hackers exploited vulnerabilities in servers running REDCap. REDCap is a web application widely used by nonprofits to build and manage online surveys and databases.
The hackers used custom-built malicious software to steal legitimate REDCap login credentials. That gave them access to the targeted networks.
How did UNC6508 operate inside the networks?
Once inside, the group set up a system to automatically forward emails to a Gmail account they controlled. The forwarding was triggered by any of nearly 150 keywords and search terms. Those terms included phone numbers and email addresses for people at targeted organizations, as well as topics related to geo-strategic policy, military strategy, advanced technology, and medical research.
You might also like
Here's what we know so far: the attackers were not smash-and-grab. They maintained quiet, persistent access for over a year before being detected.
What data did the hackers target?
Google said the hackers sought information in several specific areas:
- Defence intelligence
- Military strategy in the Indo-Pacific
- Artificial intelligence
- Unmanned vehicles
- Cyber warfare programmes
- Medical research
Luke McNamara, deputy chief analyst at Google Threat Intelligence Group, said UNC6508's methods are "broadly consistent with Chinese-linked hacking activity seen over many years, focused on gathering information likely to be of interest to the Chinese government."
Google eventually identified multiple compromised organizations across the US and Canada and notified each of them.
What did CrowdStrike report separately about Chinese AI espionage?
CrowdStrike published its own findings on June 10, 2026. The cybersecurity firm said Chinese entities accounted for more than 58% of all state-sponsored targeted cyberattacks aimed at tech companies. The focus of those attacks was AI assets and intellectual property.
CrowdStrike's analysis covered the 12 months ending March 31, 2026. The firm said Chinese-affiliated attackers also targeted government communications in Southeast Asia and "maintained persistent access" to North American tech organizations by exploiting vulnerabilities.
"China-nexus adversaries are escalating espionage against technology organizations to steal the AI capabilities and intellectual property they cannot build fast enough on their own," CrowdStrike said in a statement.
How does this connect to US chip restrictions on China?
US restrictions on China's access to AI training chips have limited Beijing's ability to develop AI domestically. CrowdStrike framed the cyberattacks as part of Beijing's effort to narrow the technology gap with the US. The chip restrictions are a direct backdrop to why Chinese entities are targeting AI intellectual property abroad.
Earlier in 2026, US AI companies Anthropic and OpenAI complained that Chinese firms had extracted competitive intelligence from them. This connects to broader concerns about Anthropic's export controls and the ongoing tension over AI model access. For context on how chip supply chains factor into this competition, see our earlier coverage of Nvidia's China sales.
Timeline of key events
| Date | Event |
|---|---|
| September 2023 | UNC6508 begins exploiting REDCap vulnerabilities in US/Canadian institutions |
| November 2025 | UNC6508 campaign ends; group detected |
| March 31, 2026 | End of CrowdStrike's 12-month analysis window |
| June 10, 2026 | CrowdStrike publishes report: Chinese entities behind 58%+ of AI-targeted state attacks |
| June 15, 2026 | Google Threat Intelligence Group publishes UNC6508 findings |
Who responded to these reports?
The Chinese Embassy in Washington did not immediately respond to a request for comment on the Google findings. Beijing regularly denies carrying out or condoning illicit hacking activity. China's Cyberspace Administration also did not immediately respond to CNBC's request for comment on the CrowdStrike report. REDCap did not respond to a request for comment.
The broader pattern of AI intellectual property theft is drawing attention across the industry. Builders and founders tracking AI competitive dynamics should note that research infrastructure — not just commercial tech companies — is now a confirmed target.
Google said it notified each of the compromised US and Canadian organizations it identified.
0 Comments
Log in to comment
Not a member yet? Join the community
Pick a meme
KlipyHave a great take?
Drop your email — we'll send a magic link so you can post it. No password.
Not a member of the community? Join today.
Join the community →