Google Threat Intelligence Group (GTIG) and Mandiant have executed a coordinated takedown of one of the most expansive cyber espionage campaigns in recent memory. The operation targeted UNC2814, a suspected People’s Republic of China (PRC)-nexus threat actor that has operated globally since 2017, compromising telecommunications and government organizations across four continents.
Scale of the Compromise
As of February 18, 2026, GTIG confirmed that UNC2814 had achieved persistent access to 53 victims in 42 countries spanning Africa, Asia, the Americas, and Europe. The investigation revealed suspected targeting in at least 20 additional nations, underscoring the decade-long effort behind this prolific campaign.
The GRIDTIDE Backdoor: Innovation Through Abuse
Central to UNC2814’s operations is GRIDTIDE, a sophisticated C-based backdoor with a novel command-and-control (C2) mechanism. Rather than exploiting vulnerabilities, GRIDTIDE abuses legitimate Google Sheets API functionality to disguise its malicious traffic as benign cloud activity.
Key Capabilities:
- Arbitrary shell command execution via Base64-encoded instructions
- File upload and download through spreadsheet cell ranges
- AES-128 CBC encryption for configuration protection
- Cell-based polling mechanism for C2 communication
- URL-safe Base64 encoding to evade detection
The malware connects to attacker-controlled Google Sheets using stolen service account credentials, treating the spreadsheet not as a document but as a communication channel. Commands arrive in cell A1, responses go back via status messages, and data transfers occur across the A2:An range in 45KB fragments.
Targeting Telecommunications for Surveillance
GTIG’s investigation revealed that UNC2814 specifically targeted endpoints containing personally identifiable information (PII), including:
- Full names and phone numbers
- Dates and places of birth
- Voter ID and National ID numbers
This targeting pattern is consistent with espionage operations designed to identify, track, and monitor persons of interest. Historical PRC-nexus intrusions against telecoms have resulted in the theft of call data records, unencrypted SMS messages, and the compromise of lawful intercept systems—enabling surveillance of dissidents, activists, and traditional espionage targets.
The Disruption
GTIG executed a comprehensive takedown:
- Terminated all Google Cloud Projects controlled by the attacker
- Disabled attacker accounts and revoked Google Sheets API access
- Sinkholed domains (both current and historical)
- Issued victim notifications and active support for compromised organizations
- Released IOCs dating back to 2023 to help defenders
Indicators of Compromise
Key artifacts include:
- GRIDTIDE binary:
ce36a5fc44cbd7de947130b67be9e732a7b4086fb1df98a5afd724087c973b47 - Configuration key file:
01fc3bd5a78cd59255a867ffb3dfdd6e0b7713ee90098ea96cc01c640c6495eb - C2 server:
130.94.6[.]228 - SoftEther VPN servers: Multiple IPs including
38.60.194[.]21,207.148.73[.]18
A comprehensive IOC collection is available via Google Threat Intelligence (GTI).
Key Takeaways
This disruption highlights several critical trends:
- Cloud services as C2: Legitimate SaaS APIs provide excellent cover for malicious traffic
- Long-term persistence: UNC2814 operated for nearly a decade before detection
- Global reach: Prolific actors can achieve simultaneous access to dozens of countries
- Telecom targeting: Carriers remain prime targets for state-sponsored surveillance
GTIG emphasizes that UNC2814 has no observed overlaps with activity publicly reported as “Salt Typhoon” and uses distinct TTPs. The group will likely attempt to rebuild its global footprint.
Source: Google Cloud Blog – Disrupting the GRIDTIDE Global Cyber Espionage Campaign
AI linkbuilding tool with chatgpt