EXECUTIVE SUMMARY:
A cyber espionage campaign identified as UNC6508 has been targeting organizations involved in academic, medical, military, artificial intelligence, cyber, and national defense research. It focused on institutions conducting high-value research and innovation, with attackers maintaining long-term access to compromised environments to collect sensitive intellectual property, strategic research data, and operational information. The campaign demonstrates a sustained interest in acquiring information that could support technological advancement and strategic objectives.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A cyber espionage campaign identified as UNC6508 has been targeting organizations involved in academic, medical, military, artificial intelligence, cyber, and national defense research. It focused on institutions conducting high-value research and innovation, with attackers maintaining long-term access to compromised environments to collect sensitive intellectual property, strategic research data, and operational information. The campaign demonstrates a sustained interest in acquiring information that could support technological advancement and strategic objectives.[emaillocker id="1283"]
The attackers initially gained access by exploiting internet-facing research data management platforms and web applications. Following compromise, they deployed custom malware to harvest credentials, move laterally across networks, and access sensitive internal systems. The campaign leveraged tailored malware components, credential theft mechanisms, and abuse of enterprise administration features to facilitate covert data exfiltration. In several instances, email management and compliance functions were manipulated to automatically forward messages containing predefined keywords related to defense, medical research, artificial intelligence, cyber operations, and other strategic subjects to attacker-controlled accounts, enabling continuous intelligence collection while avoiding detection.
This campaign demonstrates how advanced threat actors continue to target research institutions that possess strategically significant intellectual property and sensitive information. By combining exploitation of public-facing applications, credential theft, custom malware deployment, and abuse of trusted administrative tools, the attackers were able to sustain long-term access and collect valuable data. Organizations engaged in research, healthcare, defense, and technology development should strengthen access controls, continuously monitor privileged activities, secure externally exposed systems, and implement robust threat detection capabilities to reduce the risk of similar intrusions.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | - |
| Persistence | T1505.003 | Server Software Component | Web Shell |
| T1554 | Compromise Host Software Binary | - | |
| Stealth | T1027.013 | Obfuscated Files or Information | Encrypted/Encoded File |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Collection | T1114.003 | Email Collection | Email Forwarding Rule |
| T1213.006 | Data from Information Repositories | Databases | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1567.002 | Exfiltration Over Web Service | Exfiltration to Cloud Storage |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/unc6508-cyber-espionage-infinitered-malware/
https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research/
[/emaillocker]