Alleged Chinese agents break into university email servers.

Alleged Chinese agents break into university email servers.

      A suspected Chinese espionage group has been infiltrating university mail servers throughout the United States and Canada, stealing credentials from personnel involved in physics, engineering, and national security research.

      This week, security firm Proofpoint revealed the campaign, tracking the group identified as UNK_MassTraction, which has been active since at least May. The Register provided additional information.

      Proofpoint has recorded fewer than ten universities directly affected but estimates the actual number could be in the dozens. The latest incident occurred in early June, and this activity likely continues.

      One email is sufficient for entry.

      The entry method hinges on a vulnerability in Roundcube, a commonly used webmail platform. Attackers take advantage of a cross-site scripting flaw, CVE-2024-42009, which activates as soon as a target opens a compromised email. This intrusion requires no clicking, attachments, or password inputs.

      The phishing attempts are intentionally unremarkable, with the group sending emails from compromised legitimate accounts and spoofed domains, disguised as marketing or spam. Once a target opens one of these emails in a vulnerable Roundcube inbox, a hidden script activates.

      What it gathers

      That script, referred to as IceCube by Proofpoint, extracts usernames, passwords, session tokens, and cookies directly from the mailbox. It also conducts stealth reconnaissance, recording details such as the victim’s language, screen size, and login form fields.

      The gathered data is then packaged and sent back to the attackers online. Next, the group exploits a second Roundcube vulnerability, CVE-2025-49113, allowing them to deploy a web shell and a Go-based backdoor named VShell, which is favored by various Chinese hacking groups.

      Proofpoint asserts that the mail server serves merely as an entry point. From there, the operators can delve deeper into the university's network.

      Indications point to Beijing.

      While Proofpoint avoids directly naming a specific state, the evidence suggests a connection to China. Greg Lesnewich, a principal threat research engineer, mentioned to The Register that the targeting aligns with Chinese state intelligence interests, particularly in areas like astrophysics, particle physics, and defense-related research.

      The supporting infrastructure strengthens this notion. The servers involved in this campaign operate within a clandestine network utilized by multiple actors aligned with China. In June, the group incorporated a fallback loader that these same factions share, leading Proofpoint to categorize the operator as China-aligned with moderate operational security.

      Universities represent soft yet valuable targets, housing cutting-edge research, fostering international collaboration, and often maintaining less stringent security compared to defense contractors. This combination has made academic networks frequent targets for state-sponsored espionage.

      Significance of this incident

      This campaign highlights the fact that espionage frequently initiates through an email inbox rather than a physical break-in. Proofpoint has been scanning for victims and notifying them in conjunction with government and industry partners. For the researchers whose work was compromised, the solution is straightforward: patch Roundcube and regard every unread email as a potential threat.

Other articles

Researchers compromise GitHub Copilot's safety using a workflow. Researchers compromise GitHub Copilot's safety using a workflow. Researchers at the Alan Turing Institute were able to get GitHub Copilot to generate harmful content that it typically denies in chat, by distributing the request throughout a coding workflow. Britain's reliance on US cloud services has become a billion-pound risk. Britain's reliance on US cloud services has become a billion-pound risk. Almost all public institutions in the UK rely on US hyperscalers, centralizing billions of pounds and essential services in systems that Whitehall cannot fully access. Britain's reliance on US cloud services has now become a billion-pound risk. Britain's reliance on US cloud services has now become a billion-pound risk. Almost all public organizations in the UK rely on US hyperscalers, which centralize billions of pounds and essential services within systems that Whitehall cannot completely oversee. Databento secures $97 million to challenge Bloomberg's terminal. Databento secures $97 million to challenge Bloomberg's terminal. Market data startup Databento has secured $97 million in a Series B funding round led by NEA, expanding its challenge to the Bloomberg terminal into Europe, APAC, and AI laboratories. Block, founded by Jack Dorsey, resolves Cash App fraud allegations with 46 states for $45 million. Block, founded by Jack Dorsey, resolves Cash App fraud allegations with 46 states for $45 million. Block will compensate $45 million to 46 US states for its handling of Cash App fraud, as state regulators step in to fill the void left by the diminished CFPB. Jack Dorsey's Block resolves Cash App fraud allegations with 46 states for $45 million. Jack Dorsey's Block resolves Cash App fraud allegations with 46 states for $45 million. Block will pay $45 million to 46 U.S. states regarding its handling of Cash App fraud, as state regulators step in to fill the gap left by the diminished CFPB.

Alleged Chinese agents break into university email servers.

Proofpoint reports that a group aligned with China is infiltrating mailboxes of universities in the US and Canada by exploiting vulnerabilities in Roundcube to obtain research in physics and defense.