GOOGLE announced that it has disrupted a significant China-linked cyberespionage campaign targeting telecoms and government organisations worldwide, tracked by GTIG and Mandiant as UNC2814. The group has been active since at least 2017 and is described as one of the most far-reaching campaigns seen in recent years, having targeted at least 53 organisations across 42 countries, with suspicions of activity in a further 20 countries.
Google said the attackers used API calls to communicate with SaaS apps as their command-and-control infrastructure, disguising malicious traffic as benign and relying on cloud-hosted products rather than exploiting flaws. A new backdoor named GridTide enables shell command execution and file uploads and downloads, and GridTide was observed using Google Sheets as a high-availability C2 platform.
GTIG and Mandiant disrupted the campaign by eliminating GridTide cloud resources, sinkholing domains, disabling hacker accounts (including Google Cloud accounts used for C2), and terminating access to Google Sheets instances, with victims notified and IoCs released to help others detect UNC2814 activity. Google expects the disruption to significantly slow UNC2814’s global footprint.