Google has disrupted the infrastructure of a suspected China-linked espionage group called UNC2814, which breached at least 53 organizations across 42 countries in a campaign built around a previously undocumented backdoor that used Google’s own Sheets API to disguise command-and-control traffic.
The disruption, announced Wednesday, involved terminating all Google Cloud Projects controlled by the attacker, disabling known UNC2814 infrastructure, and cutting off the attacker’s access to Google Sheets API calls used for communications. Google has tracked the group since 2017.
How GRIDTIDE Worked
The backdoor at the center of the operation, named GRIDTIDE, is written in C and communicates through the Google Sheets API, routing malicious traffic through a legitimate cloud service to avoid detection. It supports file upload and download as well as the execution of arbitrary shell commands.
GRIDTIDE’s command mechanism relied on a cell-based polling system, assigning specific roles to spreadsheet cells to enable two-way communication between the attacker and compromised machines. The approach reflects a broader tactic the group has practiced: using API calls to software-as-a-service platforms as cover for malicious activity.
Dan Perez, a researcher at Google Threat Intelligence Group, said the team cannot confirm whether all 53 breaches involved GRIDTIDE specifically. “We believe many of these organizations have been compromised for years,” Perez noted.
Targets and Geographic Reach
UNC2814 has a documented history of targeting government agencies and telecommunications organizations across Africa, Asia, and the Americas. Google and Mandiant said the group is suspected of additional infections in more than 20 other nations, putting the total potential footprint at operations spanning over 70 countries.
More Read
There is evidence that GRIDTIDE was deployed specifically on endpoints holding personally identifiable information, a pattern consistent with espionage operations focused on tracking individuals of interest. Google said it observed no data exfiltration during the campaign.
Tactics Inside the Network
How UNC2814 gained initial access remains under investigation, though the group has a history of exploiting web servers and edge systems. Once inside, the attackers moved laterally via SSH using a service account and relied on living-off-the-land binaries for reconnaissance, privilege escalation, and persistence.
Persistence was established by creating a systemd service at /etc/systemd/system/xapt.service, which spawned a new malware instance from /usr/sbin/xapt. The group also deployed SoftEther VPN Bridge to establish an outbound encrypted connection to an external IP address, a tool previously linked to multiple Chinese hacking groups.
Scale and Ongoing Risk
Google described the UNC2814 campaign as one of the “most far-reaching, impactful campaigns” it has encountered in recent years. The company issued formal victim notifications to all identified targets and said it is actively supporting organizations with confirmed compromises.
Edge network appliances remain a persistent weak point. They typically lack endpoint malware detection while providing direct network access, making them attractive entry points for threat actors looking to embed themselves for long-term, low-profile access.
Google’s assessment is direct about what comes next: “We expect that UNC2814 will work hard to re-establish its global footprint.”
Photo by Boitumelo on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
