GOOGLE and its international partners disrupted a long-running global hacking campaign linked to UNC2814, described by Google Threat Intelligence Group (GTIG) as “prolific” and “elusive.” The operation, active since 2017, targeted governments and telecommunications organisations across Africa, Asia and the Americas, with Google confirming at least 53 victims in 42 nations and suspected activity in a further 20 countries.
A novel backdoor, dubbed GridTide, was central to the campaigns and was unusual in that it used Google Sheets as a command-and-control platform, allowing attackers to hide malicious traffic within legitimate cloud API requests. Google’s action severed the attackers’ persistence by terminating all Google Cloud Projects they controlled, disabling attacker accounts and revoking access to Google Sheets API calls exploited for C2, according to Google.
While analysis did not directly detect exfiltration of sensitive data, researchers note that similar Chinese-linked campaigns have previously resulted in the theft of call data records and unencrypted SMS messages, often for surveillance or state espionage purposes.