Google recently shut down a massive surveillance operation linked to a Chinese hacking group that infiltrated dozens of organizations across more than forty nations. By utilizing Google Sheets to mask their data theft as normal network traffic, the group, known as Gallium or UNC2814, managed to maintain a nearly ten-year presence inside various government and telecommunications systems.

Google and several undisclosed partners moved to dismantle the infrastructure used by the hacking group UNC2814, which had successfully breached at least 53 organizations globally. The operation involved terminating specific cloud projects and disabling accounts that the hackers used to facilitate their spying efforts. Despite the use of Google products in the scheme, the company clarified that their systems were not actually compromised, but rather exploited as a way for the group to blend into legitimate internet activity.

This hacking collective has spent nearly a decade specializing in the penetration of telecommunications companies and government entities to build a global surveillance apparatus. According to threat intelligence analysts, the primary goal was to spy on specific individuals and organizations by exfiltrating sensitive data. In one specific instance, the group successfully deployed a backdoor to access a database containing highly personal information, including national ID numbers, birth dates, and voter records.

The scope of the activity was remarkably broad, with confirmed breaches in 42 countries and evidence of potential access in nearly two dozen more. Beyond just stealing personal identity files, the campaign was designed to monitor communication channels by capturing call records and intercepting text messages. This level of access allowed the hackers to leverage the lawful intercept capabilities of various telecommunications providers to track their targets with high precision.

In response to these findings, representatives from the Chinese Embassy stated that cybersecurity remains a shared global challenge that should be solved through international cooperation rather than public accusations. They maintained that China strictly prohibits hacking and accused critics of using these reports to smear the country's reputation. This specific operation is considered separate from other recent high-profile breaches, such as the Salt Typhoon campaign that targeted prominent political figures in the United States.

While the disruption has significantly hampered the group's current capabilities, security experts emphasize that the long history of Gallium suggests a persistent threat. The use of common cloud-based tools for command and control continues to be a major challenge for defenders because it hides malicious commands within everyday business traffic. By exposing these tactics and removing the underlying infrastructure, Google aims to raise the cost and complexity for state-sponsored actors attempting similar long-term surveillance projects.

Source: Google Disrupts Chinese-Linked Hacker Campaign Targeting 53 Groups Worldwide