Google’s Threat Intelligence Group (GTIG), Mandiant, and industry partners have disrupted a large-scale cyber espionage campaign attributed to a suspected Chinese threat actor that concealed malicious communications within legitimate SaaS traffic.
The operation, active since at least 2023, targeted telecommunications providers and government networks across Africa, Asia, and the Americas. As part of the campaign, 53 organizations across 42 countries were compromised, with suspected infections spanning at least 20 additional nations.
Google tracks the threat cluster as UNC2814. Researchers were not able to determine the initial access vector in the observed campaign, but noted that the group has previously gained entry by exploiting vulnerabilities in web servers and edge devices.
In the latest series of attacks, the threat actor deployed a novel C-based backdoor dubbed “GRIDTIDE.” The malware abused the Google Sheets API to establish covert command-and-control (C&C) channels to blend into normal enterprise traffic.
According to researchers, GRIDTIDE authenticates to a Google Service Account using a hardcoded private key. Upon execution, it sanitizes its control spreadsheet by deleting rows 1 through 1000 and clearing columns A to Z. The malware then conducts reconnaissance on the infected host, gathering details such as username, hostname, operating system version, local IP address, system locale, and timezone.
Cell A1 functions as the command-and-status field, which GRIDTIDE continuously polls for instructions. When commands are present, the malware executes them and overwrites the cell with a status string. If the cell is empty, it retries every second for up to 120 attempts before shifting to randomized five- to ten-minute intervals to reduce detection risk.
Researchers said GRIDTIDE encodes communications using a URL-safe Base64 scheme, helping the traffic evade traditional web monitoring tools by masquerading as legitimate API calls. In at least one confirmed incident, the malware was deployed on a system containing sensitive personally identifiable information (PII), though researchers did not directly observe data exfiltration.
Google, Mandiant, and partners took coordinated action to disrupt the operation that included terminating Google Cloud projects linked to UNC2814, revoking malicious access to the Google Sheets API, disabling cloud infrastructure used for C2 operations, and sinkholing both current and past domains associated with the activity.