KEY POINTS
- Google and Mandiant disrupted a decade-long cyber espionage campaign by a group known as UNC2814 (or “Gallium”).
- The operation utilized a novel backdoor called GRIDTIDE that abused the Google Sheets API for command-and-control (C2) traffic.
- The campaign breached at least 53 organizations across 42 countries, primarily targeting government agencies and telecommunications providers.
Google’s Threat Intelligence Group (GTIG) and Mandiant successfully dismantled a sophisticated, long-running cyber espionage operation linked to a Chinese threat actor. The group, identified as UNC2814 and also known as “Gallium,” has been operating for nearly ten years. The disruption involved terminating the group’s Google Cloud projects, disabling its infrastructure, and cutting off access to the Google accounts it used.
The hackers focused their efforts on government bodies and telecommunications companies across Africa, Asia, and the Americas. Security researchers confirmed that at least 53 organizations were successfully breached during this latest campaign. Additionally, there are suspected infections in at least 20 other nations, reflecting a massive global surveillance apparatus.
Central to this operation was the use of a novel backdoor malware dubbed “GRIDTIDE.” This C-based tool allowed the attackers to execute shell commands and move files to and from infected systems. GRIDTIDE was notably designed to abuse the legitimate Google Sheets API for its command-and-control communications.
By using Google Sheets as a data exchange channel, the group managed to blend its malicious activity into routine office network traffic. This tactic effectively hid the surveillance efforts from traditional security monitoring tools for years. Google emphasized that this activity was not caused by a security flaw in its own products, but rather an abuse of existing functionality.
In one documented case, the hackers installed GRIDTIDE on a server containing sensitive personal information. The compromised data included full names, national ID numbers, voter IDs, and dates of birth. Security experts believe the group aimed to monitor specific individuals through these high-value datasets.
While exfiltration was not directly observed in the most recent campaign, the group has a history of aggressive data theft. Past activities linked to this threat actor include stealing call records and unencrypted SMS messages from telecom providers. They have also been known to compromise lawful intercept systems used by law enforcement.
Google worked alongside unnamed industry partners to notify all verified victims and assist with incident response. This collective action significantly degraded the infrastructure that UNC2814 had built up over many years. However, researchers warn that the group is likely to attempt to rebuild its global footprint.
This operation is distinct from “Salt Typhoon,” another prominent Chinese campaign that recently targeted the U.S. telecommunications sector. The discovery of UNC2814 underscores the growing trend of threat actors leveraging commercial cloud services to mask their intrusions.
