A long-term Chinese cyber espionage operation that has been active since at least 2017 and has a count of at least 53 victims has been substantially disrupted, according to the Google Threat Intelligence Group (GTIG) and Mandiant.
Working with other security partners, the Google and Mandiant teams were able to disable all of the group’s known infrastructure and revoke access to Google accounts and API calls that they were making use of. The teams have also published a set of IOCs linked to UNC2814 infrastructure that has been in active use since at least 2023. The group is referred to as GRIDTIDE for the name of a unique backdoor that it deploys, and is suspected in attacks in at least 62 countries during its lengthy run.
Cyber espionage group known for abusing legitimate functionality of Google Sheets API
Google and Mandiant stress that the threat actor (UNC2814) does not share any apparent overlap with other big-name groups of Chinese hackers in the news recently, such as Silk and Salt Typhoon. However, the group has been in that same general cyber espionage strata in terms of capability and sustained success as it has run freely through mostly government agencies and telecommunications companies in dozens of countries for nearly 10 years.
One of the attacker’s key tactics, at least in recent years, is to abuse the legitimate functionality of the Google Sheets API to disguise its command-and-control traffic via a series of purchased cloud services arranged to look like normal business activity. Google says that they did not make use of any vulnerability in this process, rather just simply deployed the free spreadsheet app’s normal API functions in a clever way as a cloaking technique.
The Google Threat team notes that while it did not directly observe the group stealing sensitive information during its campaign, its targeting and breach of telecom companies mirrors numerous known China-backed attacks dedicated to dwelling for as long as possible and extracting as much information of interest as possible. The group was observed dropping the GRIDTIDE backdoor in a victim endpoint known to contain an assortment of sensitive PII including national and voter ID numbers and dates and places of birth.
In total the threat hunters suspect UNC2814 of intrusions in about 70 countries, and have confirmed 53 breaches across 42 nations since 2018. Steve Cobb, Chief Information Security Officer at SecurityScorecard, provides some insight into the group’s tactics and what likely targeted organizations can do to prepare themselves: “When 53 organizations across 42 countries are confirmed victims, with suspected infections in at least 20 more, it signals a coordinated effort to gain strategic footholds rather than execute quick hit operations. Targeting telecommunications providers in particular reflects a calculated move. Access at that layer creates visibility across vast networks of government and enterprise communications, allowing adversaries to expand their reach without triggering immediate disruption. It is a quiet but powerful way to accumulate intelligence and maintain optionality for the future. This activity reinforces a larger supply chain challenge. Telecom providers are connective tissue between sectors, and that level of concentration introduces systemic risk when compromised. Persistent access inside a core service provider can remain undetected while delivering ongoing strategic advantage to an adversary. Organizations cannot rely on annual assessments or passive oversight of critical vendors. Continuous monitoring and the ability to rapidly investigate anomalies across third party environments are now baseline requirements. In an environment shaped by nation state actors, resilience depends on how quickly you can detect and respond across your entire ecosystem, not just within your own walls.”
UNC2814 deploys unique tactics
The threat actor generally targets exposed edge devices and web servers as its initial point of compromise, something not at all unusual for the Chinese cyber espionage groups. Nearly all of these groups focus heavily on scouting for and exploiting known but unpatched vulnerabilities, particularly in low-visibility areas. The Google report outlines actions taken by the threat actor on a CentOS server, where Mandiant first responded to reports of suspicious activity.
As mentioned, the researchers did not directly observe exfiltration of data by this group. However, similar prior Chinese espionage campaigns against telcos have generally targeted the call data records and SMS messages of specific persons of interest. Activity is often limited to relatively few targets so as to preserve access for as long as possible, despite often having a very broad ability to steal customer records. In the case of the breach of all the major US telcos by the assorted “Typhoon” groups, the attackers were also interested in the built-in “lawful intercept” system used when law enforcement agencies have a valid court order to monitor a suspect’s communications.
As to the technical aspects of the use of Google Sheets for cloaking, the GRIDTIDE malware will drop a 16-byte cryptographic key on the target that is used to decrypt Google Drive configuration data. This configuration data contains the service account associated with UNC2814’s Google Sheets document, and a private key for the account. GRIDTIDE connects to the malicious command-and-control spreadsheet using the Google Service Account for API authentication. It then sanitizes the spreadsheet and copies key details about the victim endpoint to it: username, endpoint name, OS details, local IP address, and environmental data such as the current working directory, language settings, and local time zone.
Though this is a substantial blow to UNC2814’s operational capability, Chinese cyber espionage is well-funded and persistent and the researchers believe the group will be immediately working to re-establish its prior capability. It may well be diminished for years, but China has many other hacking tentacles out there with much of its activity now outsourced to assorted private companies in the country. Chinese hacking groups are thought to be behind the recent campaign involving exploitation of a zero-day in Dell RecoverPoint software, as well as another long-term campaign involving VPN flaws in Ivanti’s Pulse Secure.

