Phishing-resistant MFA could have stopped a Chinese state-sponsored threat actor from spending over a year inside North American academic and medical research networks — and we're going to tell you exactly how it happened and what you need to do about it.
A group called UNC5608, tracked by Google's Threat Intelligence Group (GTIG), exploited a vulnerability unique to REDCap — a research data platform that allows multiple software versions to run simultaneously. They got in via stolen admin credentials, planted custom malware called Infinite.red directly into REDCap's upgrade process, harvested credentials for over a year, then used those credentials to log into Google Workspace as a domain admin and create fake compliance rules to silently forward sensitive research emails — military strategy, geostrategic policy, advanced tech, specific pathogens — straight to Gmail accounts they controlled. And nobody noticed for a very long time.
Prasanna and I break down the full attack chain, then walk through every prevention layer that could have stopped it: inventory management, patching, password hygiene, SSO, phishing-resistant MFA, passkeys, DBSC, context-aware access, compliance rule monitoring, credential separation across security domains, and logging. We also get into what backups can and can't do for you in a long-dwell-time attack like this — and why infrastructure-as-code and truly immutable golden images matter more than you might think.
If you're running any kind of research platform, academic institution, or medical network — or honestly any organization that uses Google Workspace — this one's for you.
Chapters:
00:00 — Intro: The attack that phishing-resistant MFA could have stopped
01:03 — Show intro & woodworking banter
03:26 — What is a living-off-the-land attack?
04:02 — Who is UNC5608 and who did they target?
05:08 — How REDCap's multi-version design was exploited
06:11 — Infinite.red malware and credential harvesting
09:01 — Google Workspace infiltration via fake compliance rules
10:18 — The keywords they were stealing: pathogens, military strategy, and more
11:50 — What could the victims have done differently?
12:42 — Inventory management, patching, and legacy version removal
14:00 — Why you can't trust application-level authentication alone — use SSO
15:18 — Phishing-resistant MFA and why it matters
16:00 — Passkeys, FIDO, and why there are zero known attacks against them
17:57 — Device-bound session credentials (DBSC) and context-aware access
19:38 — Monitor your compliance rules — have a compliance rule for the compliance rule
20:40 — Credential separation across security domains
23:00 — Get some logging — XDR, SIEM, and catching exfiltration in progress
24:00 — What can backups actually do in a long-dwell-time attack?
27:00 — Infrastructure-as-code and the right cyber recovery approach
28:58 — Protecting your golden images with immutable storage
31:59 — Wrap-up
