GOOGLE GTIG disrupted UNC2814, a suspected China-linked APT, halting attacks on 53 organisations across 42 countries. Google Threat Intelligence Group (GTIG) and its partners terminated attacker‑controlled Cloud Projects and accounts, disabled GRIDTIDE backdoor access, and revoked Google Sheets API calls, according to the GTIG report. UNC2814 used API calls to SaaS apps, disguising traffic as legitimate activity and employing a backdoor called GRIDTIDE that leveraged Google Sheets as a C2 channel.
The operation involved lateral movement via SSH, living‑off‑the‑land binaries for reconnaissance, and the installation of GRIDTIDE for persistence, with commands capable of executing Bash commands and transferring data encoded in Base64.
The attackers targeted endpoints containing personally identifiable information in telecoms and government sectors, and the report notes that UNC2814 has been active since at least 2017 and remains capable of affecting victim organisations beyond the initial 53, potentially across more than 70 countries.