Google's Threat Analysis Group (TAG) has disrupted UNC2814, a Chinese-linked hacking group that breached over 53 organizations across 42 countries using Google Sheets to manage targeting and data theft operations.
Google's Threat Analysis Group (TAG) has successfully disrupted a sophisticated Chinese-linked hacking operation that compromised more than 53 organizations across 42 countries, marking one of the most extensive cyber espionage campaigns uncovered in recent years. The group, identified as UNC2814, utilized an unconventional approach by leveraging Google Sheets as a command-and-control infrastructure to manage their targeting and data theft operations.
According to Google's analysis, UNC2814 employed a multi-stage attack methodology that began with spear-phishing campaigns targeting high-value individuals within organizations. Once initial access was gained, the attackers deployed custom malware and established persistence mechanisms within compromised networks. The use of Google Sheets as a coordination tool allowed the group to maintain operational security while managing their extensive targeting list and exfiltrated data.
The breach affected organizations across diverse sectors, including government agencies, technology companies, defense contractors, and research institutions. The geographic spread of the attacks demonstrates the group's global reach and strategic targeting approach. Google's intervention prevented further data exfiltration and helped affected organizations contain the breach.
This operation highlights the evolving nature of cyber espionage, where threat actors increasingly leverage legitimate cloud services to mask their activities. The use of Google Sheets as a coordination platform represents a creative adaptation to traditional security monitoring, as traffic to legitimate services often bypasses conventional security controls.
Google's TAG continues to monitor for related activities and has shared indicators of compromise with the broader security community to help organizations defend against similar threats. The disruption of UNC2814 serves as a reminder of the persistent and sophisticated nature of state-sponsored cyber operations targeting global organizations.
Comments
Please log in or register to join the discussion