Google's threat intelligence unit says a PRC linked group spent 14 months inside North American medical and military research networks, and the search terms it left behind map a broader collection mandate than the breach alone reveals.
Google's threat intelligence analysts spent more than a year watching a PRC-linked group work through North American medical and military research networks, and the search terms the spies typed in the final days of the operation read less like a break-in report and more like a shopping list. Deputy chief analyst Luke McNamara, speaking to The Register, called it a 'grocery shopping list' of targets: defense-adjacent email accounts, drone technology references, and, off-pattern, a mosquito-borne virus that caused an outbreak in China's Guangdong province in July 2025.
Google's Threat Intelligence Group tracks the cluster as UNC6508 and attributes the activity to a PRC-nexus crew, though the company has not publicly tied it to a named unit in the People's Liberation Army or Ministry of State Security. The group hid in victim networks for more than 14 months, according to the report carried by The Register, using custom malware and direct access to Gmail inboxes to read mail rather than exfiltrate whole mail stores.
The interesting part is the texture of the collection. The Register, citing the Google analysis, reports that search and exfiltration terms mixed drone technology, defense-company email patterns, and platform references, alongside queries tied to a mosquito-borne viral disease best known outside public-health circles for the Guangdong outbreak last summer. The mix points at a single intelligence mandate spanning North American defense readiness, dual-use medical research, and public-health surveillance signals.
The targets fit that read. Google said the campaign hit multiple medical and military research organizations across North America, including national, state, and private medical entities, military health institutions, and adjacent advocacy and regulatory bodies. Google declined to name victims or say how many were compromised, so any picture of the operation's reach is built from the search-term trail rather than a victim count.
There is a quiet reminder in the tradecraft. By sitting in mailboxes through tenant access rather than fighting a network edge, the crew turned a hosted productivity suite into an espionage surface independent of how well the perimeter was built. For defenders, that shifts the question from 'did someone get in' to 'who has been reading mail, and for how long.'
What remains opaque is the part that usually anchors a cyber-espionage story: the victim list, the record count, and the full chain of attribution from cluster to a named Chinese government unit. The Register's write-up is the first public account, and it leans on Google for both attribution and tradecraft. The search terms are a real window into priorities. They are also self-selected: a snapshot of what the spies happened to look for, not a full inventory of what they walked out with.