Google's Threat Intelligence Group, in partnership with industry allies, has dismantled a China-linked espionage operation that used Google Sheets and other tools to infiltrate telecom and government organizations across four continents.
Google's Threat Intelligence Group (GTIG) has successfully disrupted a sophisticated Chinese espionage campaign that targeted telecommunications companies and government organizations across four continents, marking one of the most extensive cyber operations linked to Beijing in recent years.
The campaign, attributed to the threat actor known as UNC2814, represents a significant escalation in China's cyber espionage capabilities, with the group exploiting legitimate cloud services to mask its malicious activities. According to Google's threat hunters, the operation impacted 53 victims across 42 countries, with suspected infections in at least 20 additional nations.
A Novel Approach to Espionage
What makes this campaign particularly concerning is the group's innovative use of Google's own infrastructure against it. UNC2814 deployed a custom backdoor called Gridtide that leverages the Google Sheets API for command-and-control communications, effectively using legitimate cloud functionality to disguise its malicious traffic.
The attackers also employed SoftEther VPN Bridge to establish encrypted outbound connections, with VPN configuration metadata indicating the group has been using this specific infrastructure since July 2018. This long-term persistence demonstrates the sophisticated operational security practices employed by the threat actors.
Technical Details of the Intrusion
Once inside target networks, UNC2814 followed a methodical approach to establish persistence and expand its foothold. The group moved laterally via SSH, performed extensive reconnaissance, and escalated privileges before deploying their Gridtide backdoor using the command "nohup ./xapt."
This particular payload, named "xapt" after a legitimate command-line tool found in Debian and Ubuntu systems, was deliberately chosen to blend into the victim's environment. The binary "/var/tmp/xapt" initiated a shell with root privileges and executed commands to retrieve system user and group identifiers, confirming successful privilege escalation.
Scale and Scope of the Operation
Google's investigation revealed the campaign's truly global reach, affecting organizations across the Americas, Asia, and Africa. The threat intelligence team worked with unnamed industry partners to terminate all Google Cloud Projects controlled by UNC2814, disable their infrastructure and accounts, and revoke access to Google Sheets API calls used for command-and-control purposes.
Dan Perez, GTIG's technical lead, emphasized the campaign's significance, noting that "previous PRC-nexus espionage intrusions against telecoms have targeted individuals and organizations for surveillance efforts, particularly dissidents and activists, as well as traditional espionage targets."
Not Connected to Salt Typhoon
Importantly, Google's researchers have determined that UNC2814 operates independently from Salt Typhoon, another Chinese-backed group that compromised America's major telecommunications firms and stole information belonging to nearly every American beginning as far back as 2019. This suggests that China is conducting multiple parallel cyber espionage operations targeting similar sectors.
The exact initial access vector remains unclear, though Google notes that UNC2814 historically exploits and compromises web servers and edge systems. The group's ability to maintain long-term access to telecommunications infrastructure raises serious concerns about the potential for ongoing surveillance operations.
Implications for Global Security
This disruption highlights the growing sophistication of state-sponsored cyber operations and the challenges faced by defenders. By abusing legitimate cloud services and employing techniques designed to blend into normal network traffic, UNC2814 demonstrated how traditional security measures can be circumvented.
Google has notified all identified victims and is "actively supporting" those who have been compromised. The company's willingness to take direct action against infrastructure controlled by a nation-state actor represents a significant escalation in how tech companies respond to cyber threats.
The Broader Context
The UNC2814 campaign occurs against a backdrop of escalating tensions between the United States and China over cyber espionage. Recent FCC decisions to roll back post-Salt Typhoon telecommunications security requirements, despite ongoing espionage risks, have raised questions about the adequacy of current defenses against these threats.
Singapore's experience of spending 11 months removing China-linked actors from its telecommunications networks provides a sobering reminder of how difficult it can be to fully evict sophisticated adversaries once they've established a foothold.
As cyber espionage capabilities continue to advance, the UNC2814 campaign serves as a stark reminder that even the most trusted cloud services can be weaponized by determined state actors. The incident underscores the need for enhanced collaboration between tech companies, governments, and security researchers to protect critical infrastructure from increasingly sophisticated threats.
For organizations in the telecommunications and government sectors, this campaign should serve as a wake-up call to reassess their security postures, particularly regarding the use of cloud services and the monitoring of unusual API activity that could indicate similar compromises.
Comments
Please log in or register to join the discussion