Alleged Chinese agents break into university email servers.
A suspected Chinese espionage group has been infiltrating university mail servers throughout the United States and Canada, stealing credentials from personnel involved in physics, engineering, and national security research.
This week, security firm Proofpoint revealed the campaign, tracking the group identified as UNK_MassTraction, which has been active since at least May. The Register provided additional information.
Proofpoint has recorded fewer than ten universities directly affected but estimates the actual number could be in the dozens. The latest incident occurred in early June, and this activity likely continues.
One email is sufficient for entry.
The entry method hinges on a vulnerability in Roundcube, a commonly used webmail platform. Attackers take advantage of a cross-site scripting flaw, CVE-2024-42009, which activates as soon as a target opens a compromised email. This intrusion requires no clicking, attachments, or password inputs.
The phishing attempts are intentionally unremarkable, with the group sending emails from compromised legitimate accounts and spoofed domains, disguised as marketing or spam. Once a target opens one of these emails in a vulnerable Roundcube inbox, a hidden script activates.
What it gathers
That script, referred to as IceCube by Proofpoint, extracts usernames, passwords, session tokens, and cookies directly from the mailbox. It also conducts stealth reconnaissance, recording details such as the victim’s language, screen size, and login form fields.
The gathered data is then packaged and sent back to the attackers online. Next, the group exploits a second Roundcube vulnerability, CVE-2025-49113, allowing them to deploy a web shell and a Go-based backdoor named VShell, which is favored by various Chinese hacking groups.
Proofpoint asserts that the mail server serves merely as an entry point. From there, the operators can delve deeper into the university's network.
Indications point to Beijing.
While Proofpoint avoids directly naming a specific state, the evidence suggests a connection to China. Greg Lesnewich, a principal threat research engineer, mentioned to The Register that the targeting aligns with Chinese state intelligence interests, particularly in areas like astrophysics, particle physics, and defense-related research.
The supporting infrastructure strengthens this notion. The servers involved in this campaign operate within a clandestine network utilized by multiple actors aligned with China. In June, the group incorporated a fallback loader that these same factions share, leading Proofpoint to categorize the operator as China-aligned with moderate operational security.
Universities represent soft yet valuable targets, housing cutting-edge research, fostering international collaboration, and often maintaining less stringent security compared to defense contractors. This combination has made academic networks frequent targets for state-sponsored espionage.
Significance of this incident
This campaign highlights the fact that espionage frequently initiates through an email inbox rather than a physical break-in. Proofpoint has been scanning for victims and notifying them in conjunction with government and industry partners. For the researchers whose work was compromised, the solution is straightforward: patch Roundcube and regard every unread email as a potential threat.
Other articles
Alleged Chinese agents break into university email servers.
Proofpoint reports that a group aligned with China is infiltrating mailboxes of universities in the US and Canada by exploiting vulnerabilities in Roundcube to obtain research in physics and defense.
