Google and Mandiant disrupted a global espionage campaign attributed to UNC2814 that used Google Sheets API to hide malicious traffic in attacks on 53 organizations across 42 countries.
Chinese state-sponsored hackers have infiltrated dozens of telecommunications companies and government agencies across the globe in a sophisticated espionage campaign that used legitimate cloud services to hide malicious activity.
Google's Threat Intelligence Group (GTIG), Mandiant, and industry partners recently disrupted a campaign attributed to a suspected Chinese threat actor known internally as UNC2814. The operation, which has been active since at least 2023, impacted 53 organizations across 42 countries, with suspected infections in at least 20 additional nations.
The campaign's scale and sophistication highlight the growing threat to critical infrastructure sectors. Telecommunications companies and government networks have become prime targets for nation-state actors seeking sensitive communications data and strategic intelligence.
The GRIDTIDE backdoor: Hiding in plain sight
The attackers deployed a custom C-based backdoor called GRIDTIDE that abuses the Google Sheets API for command-and-control operations. This approach allowed the malware to blend malicious traffic with legitimate cloud service usage, making detection significantly more difficult.
GRIDTIDE operates by authenticating to a Google Service Account using a hardcoded private key. Upon execution, the malware performs an unusual but effective sanitization step—deleting rows 1-1000 and columns A through Z in the spreadsheet to create a clean workspace.
The malware then conducts host reconnaissance, collecting system information including username, hostname, operating system details, local IP address, locale, and timezone. This data is logged in cell V1 of the spreadsheet.
How the malware communicates
The command and control mechanism is particularly clever. Cell A1 serves as the command/status cell, which GRIDTIDE constantly polls for instructions. When commands are received, the malware overwrites them with status strings to avoid leaving traces.
If no commands are present, the malware retries every second for 120 attempts, then switches to random 5-10 minute intervals to reduce network noise and avoid detection patterns.
The backdoor supports three primary commands:
- C: Execute Base64-encoded bash commands and write output to the spreadsheet
- U: Upload functionality that reconstructs files from spreadsheet data
- D: Download functionality that reads local files and sends contents in ~45 KB fragments
Data exfiltration occurs through cells A2 through An, which handle command output, file contents, and tool uploads. The malware uses URL-safe base64 encoding to evade web monitoring tools and blend with normal traffic patterns.
Coordinated disruption effort
Google, Mandiant, and partners took comprehensive action to disrupt the campaign. Their response included:
- Terminating all Google Cloud projects controlled by UNC2814
- Disabling known infrastructure components
- Revoking Google Sheets API access
- Disabling all cloud projects used in command-and-control operations
- Sinkholing current and historical domains
- Directly notifying affected organizations
- Offering support to clean infections
Countries impacted by UNC2814 attacks
Source: Google
What organizations should do now
While the disruption was comprehensive, Google expects UNC2814 to resume operations using new infrastructure in the near future. Organizations should:
Monitor for indicators of compromise - Google has published detection rules and indicators of compromise (IoCs) that organizations can use to scan their networks.
Review cloud service usage - Pay particular attention to unusual patterns in legitimate cloud service APIs, especially Google Sheets and other productivity tools.
Implement network segmentation - Critical infrastructure and sensitive data should be isolated from general network access.
Update edge systems - The threat actor has previously exploited flaws in web servers and edge systems, making these prime targets for patching.
Consider API security - Traditional network monitoring may miss API-based C2 communications. Implement API-specific security controls.
The broader context
This campaign represents a concerning trend in cyber espionage. By abusing legitimate cloud services, attackers can operate with reduced risk of detection while maintaining reliable command and control channels.
The targeting of telecommunications providers is particularly significant, as these companies provide access to vast amounts of communications data and can serve as entry points to government networks.
Google's disclosure comes amid other recent reports of Chinese-linked cyber operations, including Mustang Panda's deployment of infostealers via CoolClient backdoor and state-sponsored attacks on Taiwan's energy sector that increased tenfold.
For telecommunications providers and government agencies, this campaign serves as a stark reminder that nation-state actors continue to invest in sophisticated techniques to access sensitive information. The use of cloud service APIs for malicious purposes represents an evolution in attack methodology that requires updated defensive approaches.
The comprehensive nature of the disruption effort demonstrates how public-private partnerships can effectively counter sophisticated threats, but also underscores that such operations are likely to continue as geopolitical tensions persist in the digital domain.
Comments
Please log in or register to join the discussion