Chinese cyberspies breached dozens of telecom firms, govt agencies

Chinese Cyber Espionage Group UNC2814 Breaches 53 Telecom and Government Networks Using Stealthy SaaS-Based Malware

In a sweeping global cyber espionage campaign, a suspected Chinese threat actor known as UNC2814 has successfully infiltrated 53 organizations across 42 countries, targeting telecom providers and government agencies with sophisticated malware designed to evade detection. Google’s Threat Intelligence Group (GTIG), Mandiant, and a coalition of partners have disrupted the operation, but experts warn the threat actor is likely to regroup and resume operations using new infrastructure.

The campaign, which has been active since at least 2023, exploited unknown initial access vectors—though UNC2814 has a history of leveraging vulnerabilities in web servers and edge systems. Once inside, the group deployed a novel C-based backdoor dubbed GRIDTIDE, which uses the Google Sheets API to mask its command-and-control (C2) communications as legitimate SaaS traffic.

GRIDTIDE’s operational stealth is its defining feature. Upon execution, it authenticates using a hardcoded private key tied to a Google Service Account. It then sanitizes the targeted spreadsheet by deleting the first 1,000 rows and columns A through Z, creating a clean slate. The malware collects host reconnaissance data—including username, hostname, OS details, local IP, locale, and timezone—and logs it into cell V1.

Commands are issued through cell A1, which GRIDTIDE polls continuously. If no instructions are present, it retries every second for 120 attempts before switching to randomized 5–10 minute intervals to reduce network noise. GRIDTIDE supports three primary operations:

• C: Execute Base64-encoded bash commands and write output to the sheet.
• U: Upload data from cells A2:A and reconstruct it into a file at the specified path.
• D: Download a local file and exfiltrate it in ~45 KB chunks to cells A2:An.

To further evade detection, GRIDTIDE encodes its C2 exchanges using URL-safe Base64, blending malicious traffic with normal SaaS activity. In at least one confirmed case, the malware was found on a system containing sensitive personally identifiable information (PII), though direct data exfiltration was not observed.

Google, Mandiant, and partners launched a coordinated takedown, terminating all Google Cloud projects linked to UNC2814, disabling malicious infrastructure, revoking Google Sheets API access, and sinkholing active domains. Affected organizations were directly notified and offered remediation support.

Despite the comprehensive disruption, Google anticipates UNC2814 will adapt quickly, deploying new infrastructure and techniques in the near future. The full technical breakdown, including detection rules and indicators of compromise (IoCs), is available in Google’s public report.

Tags: #Cybersecurity #Espionage #UNC2814 #GRIDTIDE #GoogleSheetsMalware #APT #TelecomBreach #GovernmentHack #CyberThreat #SaaSExploitation #ThreatIntelligence #Mandiant #GTIG #ChineseHackers #DataBreach #CyberDefense #MalwareAnalysis #NetworkSecurity #InfoSec #CyberWarfare

Viral Phrases:

• “Stealthy SaaS-based espionage malware uncovered”
• “Google Sheets turned into cyber weapon”
• “53 organizations hacked across 42 countries”
• “Chinese APT group GRIDTIDE strikes telecom giants”
• “Malware hides in plain sight using Google API”
• “Global cyber takedown disrupts espionage campaign”
• “UNC2814: The ghost in the cloud”
• “Backdoor malware evades all traditional detection”
• “Telecom and government networks under siege”
• “Cyber espionage just got a whole lot sneakier”
• “GRIDTIDE: The malware that blends with SaaS”
• “Threat actor likely to return with new tricks”
• “Data stolen, but stealth was the real goal”
• “APT groups are evolving faster than defenses”
• “Your cloud tools could be their next weapon”
• “Cyber warfare moves from servers to spreadsheets”
• “Google Cloud projects weaponized in global hack”
• “Sinkholed domains can’t stop the next wave”
• “The future of espionage is invisible”
• “Don’t trust the API—trust the anomaly”

,