Google recently collaborated with industry partners to dismantle the digital infrastructure of UNC2814, a sophisticated cyber espionage group linked to China. This operation follows the discovery that the group breached at least 53 organizations globally by disguising malicious activity through legitimate cloud services.
The threat actor has maintained a long-standing presence by targeting government and telecommunications entities across several continents, with evidence suggesting infections in over 60 countries. To remain undetected, the group utilized API calls to communicate with software-as-a-service applications, a technique designed to blend their command-and-control traffic with normal business data.
A primary tool in these operations is a custom C-based backdoor known as GRIDTIDE, which specifically abuses the Google Sheets API to receive commands and transfer data. While researchers believe many of the affected organizations have been compromised for years, they are still investigating the exact methods the group uses for initial entry, though the exploitation of web servers remains a likely vector.
Once inside a network, the attackers leveraged service accounts and standard system tools to move laterally and escalate their privileges. They achieved persistence on Linux systems by creating hidden services, ensuring the malware would automatically restart, while also deploying encrypted VPN bridges to maintain secure outbound connections to their external servers.
The campaign appeared heavily focused on intelligence gathering, as the malware was frequently found on systems containing sensitive personal information. Although the group’s activities align with traditional espionage and monitoring of specific individuals, investigators noted that no actual data exfiltration was observed during the specific timeframe of this disruption.
Source: Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Attacks In 42 Countries