Google has disclosed details of a massive disruption operation against UNC2814, a suspected China-nexus cyber espionage group that breached at least 53 organizations across 42 countries. The campaign, tracked as GRIDTIDE, represents one of the most far-reaching espionage operations uncovered in recent years.
The Scope of the Intrusion
According to Google Threat Intelligence Group (GTIG) and Mandiant’s report, UNC2814 has been active since at least 2017, targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas. The group is suspected to be linked to additional infections in more than 20 other nations, bringing the potential total to over 70 countries.
“This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations,” the researchers stated. “We believe many of these organizations have been compromised for years.”
GRIDTIDE: Google Sheets as Command-and-Control
Central to UNC2814’s operations is a novel backdoor dubbed GRIDTIDE—a C-based malware that abuses the Google Sheets API as a command-and-control (C2) communication channel. This technique allows attackers to disguise malicious traffic as benign productivity tool usage.
The backdoor’s C2 mechanism uses a cell-based polling system with specific spreadsheet cells assigned for different purposes:
- A1 – Polls for attacker commands and returns status responses
- A2-An – Transfers data including command output and files
- V1 – Stores system data from the victim endpoint
GRIDTIDE supports file upload/download operations and the execution of arbitrary shell commands, providing attackers with comprehensive control over compromised systems.
Attack Techniques and Persistence
UNC2814 employs a sophisticated toolkit beyond GRIDTIDE:
- SoftEther VPN Bridge – Establishes encrypted outbound connections to external infrastructure
- Living-off-the-Land (LotL) binaries – Conducts reconnaissance, privilege escalation, and persistence
- Service account abuse – Enables SSH-based lateral movement within compromised environments
- Systemd persistence – Creates services at /etc/systemd/system/xapt.service spawning malware from /usr/sbin/xapt
Evidence indicates that GRIDTIDE is specifically deployed on endpoints containing personally identifiable information (PII), consistent with cyber espionage activity focused on monitoring persons of interest.
Google’s Disruption Actions
As part of its disruption operation, Google has taken decisive action:
- Terminated all Google Cloud Projects controlled by the attacker
- Disabled all known UNC2814 infrastructure
- Cut off access to attacker-controlled accounts
- Blocked Google Sheets API calls used for C2 communications
- Issued formal victim notifications to each targeted organization
Implications for Defenders
This campaign highlights the continued evolution of Chinese nation-state groups embedding themselves into networks for long-term access. The abuse of legitimate cloud services like Google Sheets for C2 communications presents significant challenges for network defenders.
“The global scope of UNC2814’s activity, evidenced by confirmed or suspected operations in over 70 countries, underscores the serious threat facing telecommunications and government sectors,” Google concluded. “Prolific intrusions of this scale are generally the result of years of focused effort and will not be easily re-established.”
Organizations should:
- Monitor for unusual Google Sheets API activity from server endpoints
- Audit SoftEther VPN installations across the environment
- Review systemd services for unexpected entries
- Implement network segmentation for systems containing PII
- Enhance monitoring of edge devices and network perimeter systems
