Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries

Google and Mandiant have dismantled a sophisticated cyber espionage campaign attributed to the suspected China-nexus threat actor UNC2814, which compromised at least 53 organizations across 42 countries in what Google described as "one of the most far-reaching, impactful campaigns" encountered in recent years.

The GRIDTIDE Backdoor: Hiding in Plain Sight

The campaign's centerpiece is a novel backdoor dubbed GRIDTIDE that leverages Google Sheets API as a covert communication channel. This C-based malware uses spreadsheet cells as a command-and-control mechanism, disguising malicious traffic as legitimate API calls to Google's cloud services.

GRIDTIDE's cell-based polling system assigns specific roles to spreadsheet cells:

• A1: Polls for attacker commands and overwrites with status responses (e.g., "S-C-R" for Server-Command-Success)
• A2-An: Transfers data including command output and files
• V1: Stores system data from the victim endpoint

The malware supports file upload/download capabilities and execution of arbitrary shell commands, making it a versatile tool for espionage operations.

Campaign Scope and Targeting

UNC2814 has a documented history dating back to 2017, with confirmed operations in over 70 countries. The group has demonstrated particular interest in international governments and global telecommunications organizations across Africa, Asia, and the Americas.

Beyond the 53 confirmed breaches, Google suspects additional infections in more than 20 other nations. The threat actor's global footprint underscores the serious risk facing telecommunications and government sectors worldwide.

Technical Infrastructure and Persistence

Initial access methods remain under investigation, though UNC2814 has a history of exploiting and compromising web servers and edge systems. Once inside a network, the group employs several sophisticated techniques:

• Lateral Movement: Uses service accounts to move laterally via SSH
• Living-off-the-Land (LotL): Leverages legitimate binaries for reconnaissance, privilege escalation, and persistence
• Persistence Mechanisms: Creates systemd services at /etc/systemd/system/xapt.service and spawns malware instances from /usr/sbin/xapt
• VPN Infrastructure: Deploys SoftEther VPN Bridge to establish outbound encrypted connections to external IP addresses

The abuse of SoftEther VPN has been previously linked to multiple Chinese hacking groups, suggesting potential shared infrastructure or tactics.

Espionage Focus Without Data Exfiltration

Evidence indicates that GRIDTIDE is deployed on endpoints containing personally identifiable information (PII), consistent with cyber espionage targeting persons of interest. However, Google noted that it did not observe any data exfiltration during the campaign.

This pattern suggests the threat actor may be focused on monitoring and intelligence gathering rather than immediate data theft, potentially positioning for future operations or long-term surveillance.

Network Edge Vulnerabilities

The campaign highlights how network edge appliances remain prime targets for nation-state actors. These devices typically lack endpoint malware detection yet provide direct network access or pivot points to internal services when compromised.

Google's intervention involved terminating all Google Cloud Projects controlled by the attacker, disabling known UNC2814 infrastructure, and cutting off access to attacker-controlled accounts and Google Sheets API calls used for C2 purposes.

Industry Response and Future Outlook

Google has issued formal victim notifications to all targeted organizations and is actively supporting those with verified compromises. The tech giant emphasized that such prolific intrusions result from years of focused effort and will not be easily re-established.

However, Google expects UNC2814 will work hard to re-establish its global footprint, highlighting the persistent nature of nation-state cyber operations. The disruption represents a significant setback but not a definitive end to the threat actor's activities.

This campaign joins a growing list of concurrent efforts by Chinese nation-state groups to embed themselves into networks for long-term access, demonstrating the ongoing challenge of defending against sophisticated, state-sponsored cyber espionage operations.