Important Security Update: Nation-State Campaign Targeting REDCap Research Platforms

On June 15, Google's Threat Intelligence Group, working with Mandiant, publicly disclosed a nearly two-year espionage campaign by a China-linked threat actor (tracked as UNC6508) against REDCap, the research data capture platform used widely across various academic medical centers, including by teams at Columbia.

The attacker exploited unpatched, outdated REDCap installations to gain entry, then used a custom piece of malware called INFINITERED to maintain long-term, hard-to-detect access. More than a year into the intrusion, the attacker used stolen credentials they had gained to create a hidden email forwarding rule that quietly copied messages containing research and national-security-related keywords to an external account. Confirmed stolen data across affected institutions nationally includes drug discovery research, clinical trial data, public health policy material, and sensitive defense and AI-related research.

Google has not named which specific institutions were compromised, only that affected organizations collectively manage billions of dollars in research funding and that the targeting was deliberate and sustained, not opportunistic.

Where We Stand

We currently have no evidence that CUIMC has been compromised. That said, given how widely REDCap is used at the institution, we are treating this with the seriousness it deserves and have already taken the following steps:

  • Completed a full inventory of every REDCap instance across our environment, active and historic
  • Deployed threat-hunting tools across our systems calibrated to the specific signatures and behavior of this attack
  • Loaded the validated malicious file signatures from this campaign into our endpoint security tools so they are automatically blocked if encountered
  • Built a tracking system to confirm, instance by instance, that patching, access controls, and authentication as well as MFA are at the strongest available standard
  • Engaged Microsoft directly through our enterprise security relationship to obtain the complete threat intelligence picture
  • Reviewing administrative activity logs going  for any signs of unauthorized access

This work is ongoing and is our continued top priority. 

What You Can Do

Our principal investigators, study leads, and students frequently conduct studies that involve collaborators at other institutions who host their own REDCap systems where CUIMC data or research information is entered or shared. Before providing additional CUIMC institutional or research data to a collaborating site's REDCap system, please confirm with that Site Administrators that their environment has been checked against this specific threat and is current on security patching. This campaign went undetected for almost two years precisely because it operated quietly inside systems that looked normal on the surface. We have visibility and control over our own environment; we do not have that same visibility into a partner institution's system, so a quick confirmation from them before sharing further data is an important and reasonable step.

For further actions, do continue using strong, unique credentials and multi-factor authentication on any REDCap account you hold. This alone significantly raises the bar against this type of attack.

Please do not hesitate to reach out to me directly or the CUIMC Information Security team (security@cumc.columbia.edu) if you have any concerns or additional follow-ups.

Tags

red, cap, redcap, google, cuimc
Back to top