Suspected Chinese agents infiltrate university email servers.

Suspected Chinese agents infiltrate university email servers.

      A suspected Chinese espionage group has been infiltrating university mail servers throughout the United States and Canada, acquiring credentials from personnel in fields such as physics, engineering, and national security research.

      This week, security firm Proofpoint revealed the campaign, identifying the group as UNK_MassTraction and tracing its activities back to at least May. Additional details were reported by The Register.

      Proofpoint has directly detected fewer than ten affected universities, but estimates the actual number may be in the dozens. The latest occurrence was noted in early June, and the activities are likely still ongoing.

      Just one email is sufficient for access. The vulnerability exploited lies within Roundcube, a widely used webmail service. Attackers take advantage of a cross-site scripting flaw, designated CVE-2024-42009, which activates when a target opens a malicious email. This does not require any clicks, attachments, or password entry.

      The phishing attempts are intentionally mundane. The group sends emails from hacked legitimate accounts and spoofed domains, camouflaging them as marketing or spam. Once a target accesses one in a susceptible Roundcube inbox, a concealed script initiates its operations.

      What it captures

      That script, referred to by Proofpoint as IceCube, gathers usernames, passwords, session tokens, and cookies directly from the mailbox. It also conducts discreet reconnaissance, recording the victim's language, screen dimensions, and the elements on their login form.

      The gathered data is then packaged and transmitted back to the attackers online. The group subsequently exploits a second Roundcube vulnerability, CVE-2025-49113, allowing them to insert a web shell and a Go-based backdoor known as VShell, a tool preferred by various Chinese hacking groups.

      According to Proofpoint, the mail server operates more as a launching pad. From there, the operators can navigate deeper into the university network.

      Indications toward Beijing

      While Proofpoint refrains from explicitly naming a state, the evidence suggests a connection to China. Principal threat research engineer Greg Lesnewich mentioned to The Register that the targeting aligns with Chinese state intelligence objectives, particularly emphasizing astrophysics, particle physics, and research associated with national defense.

      The supporting infrastructure lends credibility to this assessment. The servers involved in the campaign exist within a covert network utilized by multiple China-aligned entities. In June, the group incorporated a fallback loader that is shared among these same factions. Proofpoint categorizes the operators as being aligned with China and exhibiting moderate operational security.

      Universities represent soft and valuable targets; they possess cutting-edge research, engage in international collaborations, and typically do not maintain security measures as stringent as those of defense contractors. This combination has rendered academic networks frequent targets for state-sponsored espionage.

      Why it matters

      This campaign emphasizes that espionage increasingly begins within an inbox rather than through physical breaches. Proofpoint has conducted scans for victims and has informed them alongside governmental and industry partners. For the researchers whose work has been compromised, the solution is straightforward: patch Roundcube and consider every unread email as a potential entry point.

Other articles

Suspected Chinese agents infiltrate university email servers.

Proofpoint reports that a group aligned with China is exploiting vulnerabilities in Roundcube to infiltrate mailboxes at universities in the US and Canada, aiming to steal research related to physics and defense.