Likelihood: MODERATE
Impact: VERY HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is rated moderate because active exploitation by UNC6508 has been confirmed against a defined target profile (U.S./Canadian medical, academic, and military research institutions using REDCap and Google Workspace), but exploitation status at any given organization remains unconfirmed and the actor appears to select targets deliberately rather than conducting broad opportunistic scanning. Impact is rated very_high because the campaign's 26-month undetected dwell time, combined with the irreversible loss of clinical trial data, defense research, and proprietary IP, produces severe and largely unrecoverable operational, regulatory, and reputational consequences.
Treatment rationale: The combination of a confirmed nation-state actor with a defined target profile, regulatory obligations over the affected data types, and the irreversibility of IP and research data loss makes accept and transfer inadequate as primary treatments; avoidance is operationally infeasible for institutions dependent on REDCap and Google Workspace, leaving structured mitigation — hardening Workspace admin controls, auditing content compliance rules, and segmenting REDCap access — as the only viable primary response.
Third-Party / Supply-Chain Risk
Google Workspace represents a shared-platform dependency under NIST SP 800-161: the attack vector is a native administrative feature of a third-party SaaS provider, meaning the institution's risk posture is directly shaped by Google's control design, audit log retention, and admin-access governance. Institutions cannot patch or disable the abused feature unilaterally; risk reduction requires coordinated configuration hardening within the provider's admin console and reliance on Google's logging fidelity for detection. REDCap deployments hosted or supported by third-party academic consortia or cloud vendors introduce an additional supply-chain node where initial access may have originated outside the institution's direct control perimeter.
Loss Exposure (illustrative)
Magnitude: very high — illustrative $5M–$50M+ per institution, reflecting irreplaceable IP loss, regulatory response costs, federal audit exposure, and reputational damage to research partnerships
Frequency: Illustrative: for an institution matching the target profile (REDCap-deployed, Google Workspace-dependent, holding clinical trial or defense research data), a targeted intrusion of this type is plausibly a once-in-several-years event given the actor's demonstrated selectivity, but dwell time means a single event carries multi-year loss exposure
Annualized: Illustrative ALE framing: if a matching institution faces a ~15–25% annualized probability of being within this actor's active targeting window, and a single event produces $5M–$50M in loss magnitude, illustrative ALE ranges from ~$750K to $12.5M annually — driven almost entirely by impact severity rather than frequency
Basis: Loss magnitude anchored to: (1) irreversibility of clinical trial and defense IP data once exfiltrated, eliminating recovery as a cost offset; (2) regulatory response costs across HIPAA, federal grant frameworks, and potential DFARS obligations; (3) reputational impact on research institution funding and partnership relationships; (4) 26-month dwell time multiplying the scope of loss well beyond a contained incident. Frequency anchored to: actor's demonstrated selectivity toward a defined institutional profile and the confirmed 26-month campaign window. No third-party benchmark reports cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• 26-month unauthorized access to systems processing protected health information may invoke HIPAA breach notification obligations — verify with counsel.
• Exfiltration of NIH-funded research data may trigger grant agreement reporting requirements and federal agency notification obligations — verify with counsel.
• Unauthorized access to defense research data may invoke DFARS or other federal contractor incident reporting clauses — verify with counsel.
• Sustained data exfiltration event may constitute a reportable cyber incident under applicable cyber-insurance policy terms and trigger notice obligations to the insurer — verify with broker.
• Multi-jurisdictional exposure across U.S. and Canadian institutions may invoke Canadian PIPEDA breach-of-security-safeguards reporting requirements — verify with counsel.
