Google’s Threat Intelligence Group, working alongside their industry partners, has successfully disrupted a Chinese cyber espionage operation that compromised 53 victims across 42 countries on four continents. The threat actor, tracked as UNC2814 and active since 2017, primarily targeted telecommunications companies and government organizations throughout the Americas, Asia, and Africa using a novel backdoor called Gridtide that cleverly abused Google Sheets API functionality to disguise command-and-control traffic. Google took decisive action on February 18 by terminating all Google Cloud projects controlled by the group, disabling known infrastructure and accounts, and revoking access to the Google Sheets API calls that the attackers exploited for their operations.
The intrusion campaign, discovered during a Mandiant investigation into suspicious customer activity, revealed that UNC2814 deployed the Gridtide backdoor after gaining initial access through compromised web servers and edge systems. The attackers moved laterally via SSH, performed reconnaissance, escalated privileges to root level, and deployed their malware using techniques designed to evade detection, including naming their payload to mimic legitimate system tools. Gridtide’s capabilities include executing shell commands, uploading and downloading files, and maintaining persistent access through encrypted VPN connections that security researchers believe have been operational since July 2018. The backdoor was deployed on endpoints containing sensitive personal information including names, phone numbers, birth dates, and national identification numbers, likely for tracking persons of interest.
While investigators did not directly observe data exfiltration in this specific campaign, previous Chinese government espionage operations have involved stealing call data records, unencrypted SMS messages, and abusing telecommunications legal wiretapping systems for surveillance purposes. Google has notified all affected victims and is actively supporting remediation efforts. The tech lead for Google’s Threat Intelligence Group noted that the level of access achieved by UNC2814 would enable surveillance operations targeting dissidents, activists, and traditional espionage targets, consistent with previous Chinese-nexus intrusions against telecommunications providers.