Phishing-resistant MFA could have stopped a Chinese state-sponsored attack that stole sensitive research data from academic & medical institutions for over a year.

A threat actor called UNC5608 — tracked by Google's Threat Intelligence Group — exploited REDCap, a research data platform used widely in academic and medical institutions. REDCap has a unique design that allows multiple software versions to run simultaneously, and the attackers used that against the victims. They got in via stolen admin credentials, planted custom malware called Infinite.red directly into REDCap's upgrade process, and quietly harvested credentials for over a year.

Then they used those credentials to log into Google Workspace as a domain admin and created fake compliance rules — they named it "Patriot" (and yes, they misspelled it) — to silently BCC-forward sensitive emails to Gmail accounts they controlled. The keywords they were filtering for? Military strategy, geostrategic policy, advanced tech, and specific pathogens including one linked to a Chinese outbreak. And nobody caught it for a very long time.

Prasanna and I break down the full attack chain and then walk through every single prevention layer that could have interrupted it at multiple points — and there were a lot of them.

If you're not doing phishing-resistant MFA everywhere you possibly can right now, this episode will light a fire under you. We also get into passkeys and FIDO (spoiler: there are zero known attacks against FIDO-compliant passkeys), device-bound session credentials (DBSC), context-aware access, SSO, credential separation across security domains, compliance rule monitoring, and logging.

And because this is the Backup Wrap-Up, we don't let our hosts off the hook without asking the big question: what can backups actually do for you in a long-dwell-time attack like this? The answer is nuanced — and we get into why infrastructure-as-code and truly immutable golden images matter as much as your backup strategy does.

If you run academic networks, medical research systems, or honestly any organization using Google Workspace, this one is required viewing.

🔔 Subscribe so you don't miss episodes like this one.
📖 Curtis and Dr. Mike Saylor literally wrote the book on this: Learning Ransomware Response & Recovery — link below.
🔗 Learning Ransomware Response & Recovery (O'Reilly): https://www.oreilly.com/library/view/learning-ransomware-response/9781098169572/
🔗 Learning Ransomware Response & Recovery (Amazon): https://www.amazon.com/Learning-Ransomware-Response-Recovery-Stopping/dp/1098169581
🌐 StopRansomware.com: https://www.stopransomware.com
🎙️ BackupCentral.com: https://www.backupcentral.com

00:00 Intro: The attack phishing-resistant MFA could have stopped
01:03 Show intro & woodworking banter
03:26 What is a living-off-the-land attack?
04:02 Who is UNC5608 and who did they target?
05:08 How REDCap's multi-version design was exploited
06:11 Infinite.red malware and credential harvesting
09:01 Google Workspace infiltration via fake compliance rules
10:18 The keywords they were stealing: pathogens, military strategy & more
11:50 What could the victims have done differently?
12:42 Inventory management, patching & legacy version removal
14:00 Why application-level authentication alone isn't enough — use SSO
15:18 Phishing-resistant MFA and why it matters
16:00 Passkeys, FIDO & zero known attacks
17:57 Device-bound session credentials (DBSC) & context-aware access
19:38 Monitor your compliance rules
20:40 Credential separation across security domains
23:00 Get some logging — XDR, SIEM & catching exfiltration
24:00 What backups can and can't do in a long-dwell-time attack
27:00 Infrastructure-as-code & the right cyber recovery approach
28:58 Protecting golden images with immutable storage
31:59 Wrap-up