Google has announced that it worked with industry partners to dismantle the infrastructure of UNC2814, a suspected China-linked cyber espionage group that has breached at least 53 organizations across 42 countries. According to a joint report by Google Threat Intelligence Group and Mandiant, UNC2814 has a history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas. The group is also suspected to have additional infections in over 20 other nations. The campaign has been active since at least 2017, leveraging software-as-a-service applications and API calls to disguise command-and-control traffic as legitimate communications.
Central to the group’s operations is a backdoor malware named GRIDTIDE, which uses Google Sheets API as a communication channel for command-and-control activities. GRIDTIDE, written in C, enables file upload and download, execution of shell commands, and persistent presence on compromised systems. Google researchers noted that the malware employs techniques such as service accounts for lateral movement via SSH and living-off-the-land binaries for reconnaissance and privilege escalation. The backdoor establishes persistence through system services and utilizes SoftEther VPN Bridge to maintain encrypted connections with external command servers, a method linked to multiple Chinese threat actors. While Google observed no active data exfiltration during the campaign, the malware was deployed on endpoints containing personally identifiable information, aligning with espionage objectives.
GRIDTIDE’s command-and-control mechanism operates through a cell-based structure in Google Sheets, assigning specific spreadsheet cells to different roles. Cell A1 polls for attacker commands and returns status, cells A2 through An are used to transfer command output or files, and cell V1 stores system data from compromised endpoints. To neutralize the threat, Google terminated all attacker-controlled Google Cloud Projects, disabled known infrastructure associated with UNC2814, and revoked access to accounts and API calls exploited for malicious activity. Victim notifications have been issued, and Google continues to assist organizations affected by verified compromises.
The campaign demonstrates the long-term, global nature of Chinese nation-state cyber operations, which often exploit vulnerabilities and misconfigurations in network edge appliances that provide access to internal enterprise networks. These appliances have become high-value targets due to limited endpoint malware detection and the ability to pivot to internal systems once compromised. Google noted that the global reach of UNC2814, with confirmed or suspected operations in over 70 countries, underscores the significant threat to telecommunications and government sectors. Although dismantling the campaign is expected to prevent immediate further exploitation, researchers anticipate that UNC2814 will attempt to re-establish its operations due to the scale and duration of its previous intrusions.
This disruption highlights the importance of coordinated cybersecurity efforts among industry partners, proactive threat intelligence sharing, and the deployment of advanced detection measures to counter sophisticated global cyber espionage campaigns. Organizations affected by such threats continue to receive support from Google and associated partners to ensure resilience and secure operations across international networks.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
