Google Cloud Reports Chinese Hackers Breached Workspace to Target Medical and Defense Entities

Google Cloud has disclosed that Chinese state-backed hackers successfully compromised Workspace security to target a broad range of medical organizations, including national health agencies, state-run hospitals, private clinics, research institutions and defense contractors. The ongoing data theft campaign was detailed in a threat advisory published by Google's Threat Analysis Group.

The attackers bypassed Google Workspace's native protections to gain persistent access to email and document storage systems. Google reported that the campaign has affected entities across multiple countries and that the attackers displayed sophisticated knowledge of cloud security controls.

Campaign targets health and defense sectors

According to Google's advisory, the hackers exploited misconfigurations in Workspace identity and access management policies, then used compromised credentials to move laterally within cloud environments. The attackers focused on exfiltrating sensitive research data, patient records and defense-related communications.

• The campaign has hit a diverse set of national, state and private medical entities across at least three continents.
• Targets include infectious disease research centers, vaccine development labs and military medical units.
• Google attributed the operation to a Chinese government-backed group tracked as UNC3887 by Mandiant.
• The attackers used custom malware to maintain stealthy access over periods of several months.
• Google has notified affected organizations and provided remediation steps.

Cloud security implications for healthcare

The breach highlights the growing risk that cloud infrastructure faces from nation-state actors. Google Workspace is widely used by healthcare providers for email, collaboration and document storage, making it an attractive target for espionage campaigns. The attack exploited legitimate Workspace APIs and single sign-on integrations to avoid triggering alarms.

Google recommends that organizations enforce multi-factor authentication, audit service account permissions, and monitor for anomalous API usage. The company has updated its security intelligence products to detect indicators of compromise linked to this campaign. Cloud security teams in healthcare and defense sectors are advised to review their Workspace deployment configurations immediately.