Chinese Hackers Compromise REDCap Servers, Exfiltrate Medical Research Data
What Happened — A China‑linked espionage group (UNC6508) exploited outdated REDCap installations at a North‑American medical research institution, deployed the custom “InfiniteRed” malware, harvested credentials, and used a forged “content compliance rule” to email‑exfiltrate research data. The foothold persisted from September 2023 until November 2025 before detection.
Why It Matters for Compliance & Audit Readiness
- Demonstrates a failure of SOC 2 Privacy controls (CC6.1, CC6.2) – unencrypted credential storage and lack of monitoring for anomalous data‑exfiltration mechanisms.
- Highlights the need for continuous evidence that data‑classification, consent, and DSAR processes are enforced, especially when third‑party research platforms are used.
- Directly maps to Verisq’s CookiePLUS Privacy capability, which provides automated consent tracking, DSAR readiness, and audit‑ready evidence of privacy‑control enforcement.
Who Is Affected – Academic medical centers, biotech research labs, pharmaceutical R&D groups, and any organization that deploys REDCap for clinical or scientific studies.
Recommended Actions
- Patch REDCap to the latest supported version and retire unsupported releases.
- Enforce MFA and rotate all stored REDCap credentials; audit database tables for unauthorized credential hashes.
- Deploy monitoring for creation of “content compliance rules” or similar automation that can trigger outbound email.
- Conduct a privacy impact assessment (PIA) and update DSAR procedures to reflect the new data‑flow risk.
- Capture continuous evidence of these controls for SOC 2 audit readiness.
Technical Notes – The initial vector appears to be probing of vulnerable REDCap versions (no specific CVE disclosed). InfiniteRed includes a persistence module, credential harvester, and backdoor that receives commands via HTTP cookies. Exfiltration leveraged a legitimate “content compliance rules” feature to BCC data to an external Gmail address. Source: BleepingComputer