Google has revealed that it worked alongside industry partners to dismantle the infrastructure of a suspected China-linked cyber espionage group known as UNC2814. The group is believed to have compromised at least 53 organizations in 42 countries, with additional suspected activity in more than 20 other nations.
According to a new report from Google Threat Intelligence Group and Mandiant, the threat actor has spent years targeting government entities and major telecommunications providers across Africa, Asia, and the Americas. Google says it has been tracking the group since 2017.
SaaS Platforms Used as Command Infrastructure
Investigators found that UNC2814 relied on API calls to software-as-a-service platforms to manage command-and-control operations. By blending malicious traffic with normal SaaS activity, the attackers were able to reduce the likelihood of detection.
At the center of the campaign is a previously undocumented backdoor called GRIDTIDE. The malware abuses the Google Sheets API to communicate with infected systems. Instead of using traditional command servers, the attackers hid instructions and stolen data inside spreadsheet cells.
GRIDTIDE is written in C and allows operators to upload and download files, execute shell commands, and transfer system data.
How GRIDTIDE Operates
The malware uses a structured polling method inside Google Sheets:
- Cell A1 checks for attacker commands and replaces them with status responses such as confirmation of execution.
- Cells A2 through An handle file transfers and command output.
- Cell V1 stores system information collected from the compromised endpoint.
This design allows two-way communication while appearing like normal spreadsheet activity.
Initial Access Still Under Investigation
Google says it is still investigating how the group initially gains access. However, UNC2814 has previously been linked to the exploitation of vulnerable web servers and edge devices.
Once inside a network, the attackers reportedly used service accounts to move laterally over SSH. They also relied on living-off-the-land techniques, using built-in system tools to conduct reconnaissance, escalate privileges, and maintain persistence.
For persistence, the attackers created a malicious system service located at:
/etc/systemd/system/xapt.service
When activated, it launched a new malware instance from:
/usr/sbin/xapt
Another tool observed in the campaign is SoftEther VPN Bridge, which was used to establish encrypted outbound connections to external infrastructure. Abuse of SoftEther VPN has previously been associated with multiple China-based threat groups.
Focus on Telecommunications and Government
Evidence suggests GRIDTIDE was deployed on systems containing personally identifiable information. That pattern aligns with espionage campaigns that aim to monitor specific individuals or strategic targets.
Despite the scale of the operation, Google stated that it did not observe confirmed data exfiltration during the campaign.
Google’s Response
To disrupt the operation, Google:
- Shut down Google Cloud projects tied to the attackers
- Disabled known infrastructure linked to UNC2814
- Revoked access to attacker-controlled accounts
- Blocked malicious Google Sheets API activity
- Issued formal notifications to affected organizations
Google described the campaign as one of the most extensive and impactful espionage operations it has handled in recent years. The company is continuing to support victims with confirmed compromises.
Broader Implications
This case highlights a growing trend: nation-state actors are embedding themselves into networks for long-term access rather than conducting quick smash-and-grab attacks. Edge devices remain a preferred entry point because they often lack strong endpoint monitoring while providing direct access into internal environments.
Google warned that the global scale of UNC2814’s activity, spanning confirmed or suspected operations in more than 70 countries, underscores the serious risks facing telecom providers and government agencies.
While the disruption effort may have slowed the group, Google expects the threat actor to attempt rebuilding its infrastructure.
For defenders, the takeaway is clear. Monitoring SaaS API usage, securing edge devices, and watching for unusual service creation or outbound VPN connections are no longer optional. They are critical controls in modern enterprise defense.