More than 50 organizations across 42 countries were quietly breached over years.
A Global Campaign Hidden in Plain Sight
Google revealed that it disrupted the infrastructure of a suspected China-nexus cyber espionage group tracked as UNC2814.
According to Google Threat Intelligence Group and Mandiant, the threat actor breached at least 53 organizations across 42 countries. Investigators believe infections may extend to more than 70 nations.
The targets included international governments and global telecommunications providers across Africa, Asia, and the Americas.
This was not a smash-and-grab attack. Instead, it was long-term, stealthy espionage.
The Backdoor That Hid in Google Sheets
At the center of the operation sits a custom backdoor called GRIDTIDE.
GRIDTIDE abused the Google Sheets API as a command-and-control (C2) channel. Instead of communicating with suspicious servers, the malware sent and received instructions through spreadsheet cells.
This design allowed malicious traffic to blend into normal SaaS activity.
The malware operated using a cell-based polling mechanism:
- Cell A1: Polled for attacker commands
- Cells A2–An: Transferred files and command output
- Cell V1: Stored victim system data
Because the traffic appeared as legitimate Google API activity, traditional monitoring tools struggled to flag it.
Living-Off-the-Land for Stealth
UNC2814 relied heavily on living-off-the-land techniques.
After initial access, the attackers:
- Used SSH for lateral movement
- Leveraged service accounts for internal access
- Exploited built-in binaries for reconnaissance
- Created systemd services for persistence
For example, they deployed malware as a service under:
/etc/systemd/system/xapt.service
Once enabled, it spawned from /usr/sbin/xapt, maintaining long-term persistence.
Additionally, they used SoftEther VPN Bridge to create encrypted outbound tunnels. Notably, SoftEther abuse has appeared in multiple Chinese-linked campaigns.
Edge Devices as Entry Points
Investigators continue to examine how initial access occurred. However, the group has a history of exploiting vulnerable web servers and network edge appliances.
Edge devices often lack endpoint detection tools. At the same time, they provide direct access into internal networks.
As a result, they remain high-value targets for espionage groups seeking long-term footholds.
Espionage Without Immediate Exfiltration
GRIDTIDE infections appeared on systems containing personally identifiable information (PII). That detail aligns with intelligence collection objectives.
Interestingly, Google did not observe active data exfiltration during the disruption effort. However, researchers believe many compromises may have persisted for years.
This suggests the objective may have focused on access maintenance rather than rapid data theft.
Google’s Response
Google terminated attacker-controlled Google Cloud projects, disabled malicious infrastructure, and blocked abuse of Google Sheets API channels.
The company also issued victim notifications and is assisting affected organizations.
Google described the campaign as one of the most far-reaching espionage operations it has encountered in recent years.
Strategic Implications
UNC2814 demonstrates three critical trends:
- SaaS platforms can become covert C2 infrastructure.
- Long-term espionage campaigns prioritize stealth over speed.
- Edge systems remain weak points in enterprise security.
The scale of this activity underscores a broader reality: nation-state actors increasingly embed themselves quietly within telecommunications and government networks.
These intrusions are built over years. Therefore, dismantling them requires sustained defensive effort.