Hackers Secretly Forwarded Emails for a Year. Here's How to Stay Safe

What Happened

Chinese government-linked hackers spent over a year inside research and defense networks, silently forwarding every email to addresses they controlled. Google confirmed the attack worked through stolen passwords and a simple email feature most people never check: automatic forwarding rules. Medical research, defense communications, and sensitive data flowed directly to the attackers without anyone noticing.

The Details

This attack was brilliantly simple. Hackers first stole login credentials from research servers, likely through phishing or exposed passwords. Once inside, they logged into victims' Google Workspace accounts just like the real users would. No alarms went off because the credentials were legitimate.

Here's where it gets sneaky. Instead of downloading files or sending suspicious emails, the attackers created automatic forwarding rules. Every email the victim received was instantly copied to an attacker-controlled address. The original emails stayed in the inbox, so victims had no idea anything was wrong. This went on for months.

The attackers targeted specific groups: medical researchers, defense contractors, and academic institutions. They weren't after credit cards or social media passwords. They wanted intellectual property, research data, and government communications. The kind of information that takes years to develop and can't be replaced.

Who Is Affected

If you work in research, healthcare, defense, or higher education, this attack pattern should concern you. These hackers specifically targeted people with access to valuable intellectual property. Your work email could be an entry point to sensitive organizational data.

But this isn't just a workplace problem. The same technique works on personal Gmail accounts, Outlook, and other email services. Anyone with email forwarding capabilities could become a target. If your personal email connects to work systems or contains sensitive family information, you're potentially vulnerable.

What You Should Do Right Now

1. Check your email forwarding settings today. In Gmail, go to Settings, then "Forwarding and POP/IMAP." Make sure no unexpected addresses appear. In Outlook, check Rules under Settings. Delete anything you don't recognize.

The Bigger Picture

This attack succeeded because it exploited legitimate features in ways security teams don't always monitor. Hackers are getting smarter about blending in. They're not breaking down doors anymore. They're using stolen keys and walking through the front entrance.

Staying informed about these tactics matters. Understanding how attacks actually work helps you spot the warning signs before damage occurs. Cybersecurity isn't about fear. It's about awareness and simple preventive steps.

How GetCyberRight Can Help

Our Breach Monitor tool alerts you immediately if your credentials appear in known data breaches. This attack started with stolen passwords from compromised servers. If the victims had known their credentials were exposed, they could have changed passwords before hackers exploited them. Breach Monitor watches for your information 24/7, giving you the early warning you need to take action before attackers do.