ACCORDING to Google Threat Intelligence Group (GTIG) and Mandiant, Google disclosed that it disrupted the infrastructure of UNC2814, a suspected China-nexus cyber espionage group, after the actors breached at least 53 organisations across 42 countries. The researchers say UNC2814 has a history of targeting international governments and global telecommunications organisations across Africa, Asia and the Americas, and is linked to infections in more than 20 other nations.
GRIDTIDE, the group’s backdoor, reportedly abuses the Google Sheets API as a C2 channel to disguise traffic and enable data and command transfers, with GRIDTIDE described as a C-based malware capable of file upload/download and executing shell commands. The campaign employed a service account to move laterally via SSH, and used living-off-the-land binaries to conduct reconnaissance, privilege escalation and persistence.
Google noted that a persistence mechanism involved creating a malware service at /etc/systemd/system/xapt[.]service and spawning new malware instances from /usr/sbin/xapt, while SoftEther VPN Bridge was used to establish outbound encrypted connections. Although GRIDTIDE surfaced on endpoints containing PII, Google said no data exfiltration was observed during the campaign, and the firm terminated attacker-controlled Google Cloud Projects and disabled UNC2814 infrastructure and related Google Sheets API calls.
The global scope was described as over 70 countries, underscoring the threat to telecommunications and government sectors and the attackers’ ability to evade detection.