Google’s Threat Intelligence Group, along with Mandiant and other partners, has stopped a large global espionage campaign linked to a suspected Chinese threat actor.
The hackers used SaaS API calls to disguise malicious traffic, mainly targeting telecom companies and government networks around the world.
The campaign has reportedly been active since at least 2023. It has already affected 53 organizations across 42 countries, with possible infections in at least 20 more nations. Investigators are still unsure how the attackers first gained access, but Google says the group, tracked as UNC2814, has previously exploited weaknesses in web servers and edge systems to break in.
In this latest campaign, the attackers used a newly discovered C-based backdoor called GRIDTIDE. What makes this malware unusual is that it misuses the Google Sheets API to carry out hidden command and control operations. The malware connects to a Google Service Account using a hardcoded private key. Once active, it clears parts of the spreadsheet, then begins collecting basic system information such as username, hostname, operating system details, local IP address, language settings, and timezone. This information is stored directly inside the spreadsheet.
The malware constantly checks a specific cell in the sheet for instructions. If it finds a command, it executes it and replaces the cell’s content with a status update. If there is no command, it checks repeatedly before slowing down its polling rate to avoid raising suspicion.
GRIDTIDE supports several commands. It can execute encoded bash commands and write the results back to the sheet. It can upload files by reconstructing data stored in spreadsheet cells, and it can also download files from infected systems in small fragments. The spreadsheet cells are used to move command outputs and stolen data back and forth.
Google says the attackers used a URL-safe base64 encoding method to help the malicious traffic blend in with normal web activity, making detection harder for security monitoring tools.
In at least one confirmed case, GRIDTIDE was found on a system containing sensitive personal information. However, researchers did not directly observe any data theft.
To stop the operation, Google and its partners shut down all Google Cloud projects linked to UNC2814, revoked access to the Google Sheets API used in the attacks, disabled related infrastructure, and sinkholed both current and past domains connected to the campaign. Affected organizations were notified and offered assistance to remove the malware.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Google has also shared detection rules and indicators of compromise to help security teams identify possible infections. Although this disruption was significant, Google believes the threat actor may attempt to return using new infrastructure in the near future.
