China‑Linked UNC6508 Operated Within North American Medical Research Networks for Two Years via REDCap Misconfigurations
What Happened — UNC6508, a China‑linked cyber‑espionage group, infiltrated multiple North American medical and military research institutions by exploiting unpatched, legacy deployments of the REDCap research data platform. The actors remained undetected from September 2023 until November 2025, stealing credentials and forwarding internal emails to external Gmail accounts.
Why It Matters for Compliance & Audit Readiness
- The long dwell time highlights gaps in change‑management and configuration‑control processes that SOC 2 CC6.1 (Change Management) and CC7.1 (System Operations) are designed to address.
- Continuous evidence collection of platform versions, patch status, and privileged‑access activity is essential to demonstrate due diligence and maintain a defensible audit trail.
- Mapping REDCap controls to a Trust Center dashboard provides real‑time visibility that satisfies both internal risk programs and external auditors.
Who Is Affected — Healthcare & life‑science research institutions, academic medical centers, and defense health agencies that host REDCap servers.
Recommended Actions
- Inventory all REDCap instances and verify they run supported, fully patched versions.
- Deploy automated monitoring of configuration changes, upgrade processes, and credential‑use anomalies.
- Enforce MFA and least‑privilege access for all REDCap accounts; rotate credentials regularly.
- Document control evidence (patch logs, access logs, change‑request records) to satisfy SOC 2 audit requirements.
Technical Notes — The intrusion vector was a misconfiguration: attackers targeted outdated REDCap deployments lacking recent security patches. No specific CVE was identified, but the custom INFINITERED payload hijacked REDCap’s upgrade mechanism to persist across patches and harvested credentials from the authentication subsystem. Source: Security Affairs