Google Threat Intelligence Group (GTIG) has disrupted a massive global cyber espionage campaign targeting telecommunications and government organizations across 42 countries.
The threat actor, tracked as UNC2814, is a suspected People’s Republic of China (PRC)-nexus cyber espionage group that GTIG has monitored since 2017. The attacker deployed a novel backdoor called GRIDTIDE that abuses Google Sheets as a command-and-control (C2) platform, hiding malicious traffic within legitimate cloud API requests.
Key Findings
- 42+ countries impacted across four continents (Africa, Asia, Americas, Europe)
- 53 confirmed victims with suspected infections in at least 20 additional countries
- Primary targets: telecommunications providers and government entities
- Campaign active since at least 2017
GRIDTIDE Backdoor Capabilities
GRIDTIDE is a sophisticated C-based backdoor capable of:
- Executing arbitrary shell commands
- Uploading and downloading files
- Using Google Sheets as a high-availability C2 platform
- AES-128 encrypted communications
- Host fingerprinting and reconnaissance
The malware treats Google Sheets not as a document, but as a communication channel to facilitate raw data transfer and shell command execution—effectively evading standard network detection.
Disruption Actions
GTIG’s coordinated response included:
- Terminating all Google Cloud Projects controlled by UNC2814
- Identifying and disabling all known attacker infrastructure
- Disabling attacker accounts and revoking API access
- Releasing IOCs linked to UNC2814 infrastructure active since 2023
Target Data Exfiltration
Mandiant’s investigation revealed UNC2814 targeted endpoints containing sensitive personally identifiable information (PII), including:
- Full names and phone numbers
- Dates and places of birth
- Voter ID and National ID numbers
While GTIG did not directly observe data exfiltration during this campaign, historical PRC-nexus intrusions against telecoms have resulted in theft of call data records, unencrypted SMS messages, and compromise of lawful intercept systems—enabling surveillance of dissidents, activists, and traditional espionage targets.
Indicators of Compromise
Organizations should monitor for:
- Suspicious processes executing from
/var/tmp/directories - Service creation at
/etc/systemd/system/xapt.service - SoftEther VPN Bridge deployments
- Unusual Google Sheets API activity
Note: UNC2814 has no observed overlaps with Salt Typhoon and uses distinct tactics, techniques, and procedures (TTPs).
Source: Google Cloud Blog – GTIG
