Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries

Google and Industry Partners Dismantle Global Espionage Network Linked to China

In a sweeping international cybersecurity operation, Google has revealed it joined forces with industry partners to dismantle the infrastructure of a suspected China-linked cyber espionage group that compromised at least 53 organizations across 42 countries. The operation, announced Wednesday, targeted the elusive hacking collective known as UNC2814, which has been under surveillance by Google’s Threat Intelligence Group since 2017.

“This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas,” Google stated in a detailed technical report published alongside the announcement.

The campaign’s sophistication lies in its innovative use of legitimate cloud infrastructure as a weapon. UNC2814 employed a novel backdoor malware dubbed GRIDTIDE, which abuses Google Sheets API as a covert command-and-control (C2) channel. By disguising malicious traffic as benign API calls to popular software-as-a-service (SaaS) applications, the group effectively camouflaged its activities within normal network traffic patterns.

GRIDTIDE, written in C, functions as a versatile espionage tool supporting file upload/download capabilities and execution of arbitrary shell commands. The malware’s architecture is particularly insidious—it establishes persistence by creating a service at /etc/systemd/system/xapt.service and spawns new instances from /usr/sbin/xapt once enabled.

While the exact initial access vector remains under investigation, UNC2814 has demonstrated a pattern of exploiting and compromising web servers and edge systems. Once inside target networks, the group leverages service accounts to move laterally via SSH and employs living-off-the-land (LotL) binaries for reconnaissance, privilege escalation, and maintaining persistent access.

Adding another layer to their operational security, UNC2814 deployed SoftEther VPN Bridge to establish encrypted outbound connections to external IP addresses. This technique isn’t unique to this group—the abuse of SoftEther VPN has been linked to multiple Chinese hacking collectives in recent years, suggesting a shared playbook within certain state-sponsored cyber units.

The espionage campaign’s focus appears squarely on intelligence gathering. Evidence indicates GRIDTIDE is deployed specifically on endpoints containing personally identifiable information (PII), consistent with cyber espionage objectives targeting persons of interest. Interestingly, Google noted it did not observe actual data exfiltration during the campaign, suggesting the group may be in an information-gathering phase or using alternative exfiltration methods.

GRIDTIDE’s command-and-control mechanism employs a clever cell-based polling system within Google Sheets. Specific spreadsheet cells are assigned distinct roles: cell A1 polls for attacker commands and returns status responses like “S-C-R” (Server-Command-Success); cells A2 through An transfer data including command output and files; and cell V1 stores system data from compromised endpoints. This spreadsheet-based communication channel allows bidirectional data flow while appearing as legitimate cloud activity.

As part of the coordinated disruption, Google terminated all Google Cloud Projects controlled by UNC2814, disabled known infrastructure, and blocked access to attacker-controlled accounts and Google Sheets API calls used for C2 purposes. The tech giant characterized this as one of the “most far-reaching, impactful campaigns” encountered in recent years and has issued formal victim notifications to all identified targets.

This operation represents just one front in what security researchers describe as concurrent efforts by Chinese nation-state groups to establish long-term network access across global targets. The campaign underscores a critical vulnerability that continues to plague enterprise security: the network edge.

Edge devices and appliances have become increasingly attractive targets for sophisticated threat actors because they typically lack robust endpoint malware detection while providing direct network access or pivot points to internal services when compromised. According to recent security analyses, these appliances represent the “soft underbelly” of enterprise networks, where attacks concentrate and defenses often fall short.

“The global scope of UNC2814’s activity, evidenced by confirmed or suspected operations in over 70 countries, underscores the serious threat facing telecommunications and government sectors, and the capacity for these intrusions to evade detection by defenders,” Google emphasized.

The scale and sophistication of this campaign—requiring years of focused effort to establish such an extensive global footprint—demonstrate the persistent threat posed by state-sponsored cyber operations. Google warned that while this disruption represents a significant setback, UNC2814 will likely work diligently to reestablish its operational capabilities.

Tags: UNC2814, GRIDTIDE, Google Sheets API, cyber espionage, China-linked hacking, network security, command-and-control infrastructure, living-off-the-land techniques, SoftEther VPN, telecommunications security, government hacking, cloud-based malware, edge device vulnerabilities, state-sponsored cyber attacks, global cyber campaign

Viral phrases: “Google just dismantled a massive China-linked spy network,” “How hackers turned Google Sheets into a secret weapon,” “The invisible war happening inside your cloud apps,” “Why your network edge could be your biggest security risk,” “The espionage tool hiding in plain spreadsheet cells,” “When legitimate cloud services become weapons of cyber war,” “The 42-country hacking campaign you’ve never heard about,” “How Google stopped the most sophisticated cyber spy operation in years”

,