Google has disrupted a China-linked espionage group that used Google’s spreadsheet application as a covert spy tool to compromise telecom providers and government agencies across 42 countries, sending commands and receiving stolen data through it, Google’s Threat Intelligence Group (GTIG) said on Thursday.
Working with Mandiant, GTIG confirmed intrusions at 53 organizations across 42 countries, with suspected infections in at least 20 more. The group, identified by Google as UNC2814, is a suspected PRC-nexus actor that GTIG has tracked since 2017.
“This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas,” GTIG said in a blog post.
Unlike Salt Typhoon, UNC2814, the China-linked group whose intrusions into US telecom carriers drew scrutiny from Congress and federal regulators last year, operates with distinct tactics and targets a different set of victims globally, the post added.
How UNC2814 gains its initial foothold has not been determined, though GTIG said the group has a history of exploiting and compromising web servers and edge systems. Once inside, it deployed a novel backdoor and maintained persistent access across target networks.
A spreadsheet repurposed as a spy tool
That backdoor, which GTIG named GRIDTIDE, did not communicate the way most malware does. “The backdoor leverages Google Sheets as a high-availability C2 platform, treating the spreadsheet not as a document, but as a communication channel to facilitate the transfer of raw data and shell commands,” GTIG said.
The attackers wrote commands into spreadsheet cells and retrieved stolen data from them the same way. The malware polled the sheet every second for new instructions, wrote status updates back on task completion, and wiped the first 1,000 rows at the start of each session to erase traces of prior activity, the blog post explained.
“This activity is not the result of a security vulnerability in Google’s products; rather, it abuses legitimate Google Sheets API functionality to disguise C2 traffic,” GTIG added.
“The most unsettling detail about the GRIDTIDE backdoor is how it abuses legitimate Google Sheets API calls to function as its C2 channel, while still utilizing techniques like ‘living off the land’ to blend in with regular enterprise activities,” Andrew Costis, manager of the Adversary Research Team at AttackIQ, said. “This camouflage buys attackers time by slipping past the triggers defenders rely on, like obvious malware signatures or noisy beaconing, and hiding inside the same cloud app patterns teams are used to seeing.”
How Mandiant found it
The campaign came to light during a Mandiant Threat Defense investigation, when analysts flagged unusual activity on a CentOS server. A binary named xapt, designed to masquerade as the apt package manager on Debian-based Linux systems, had already escalated to root and was running shell commands to confirm its access level, GTIG said.
The attacker had the highest available privileges on the system before the alert was raised.
From that foothold, the threat actor used a service account to move laterally via SSH, deployed living-off-the-land binaries for reconnaissance, and installed GRIDTIDE as a persistent systemd service to survive reboots. The threat actor also deployed SoftEther VPN Bridge to maintain an encrypted outbound channel.
“VPN configuration metadata suggests UNC2814 has been leveraging this specific infrastructure since July 2018,” GTIG said.
The extent of that access became clear when investigators examined what the attackers were targeting.
The real target was individuals
The attackers planted GRIDTIDE on endpoints that held personally identifiable information, including full names, phone numbers, dates of birth, voter IDs, and national ID numbers.
“We assess the targeting of PII in this engagement is consistent with cyber espionage activity in telecommunications, which is primarily leveraged to identify, track, and monitor persons of interest,” GTIG said in the post.
GTIG did not directly observe exfiltration during this campaign, but noted that “historical PRC-nexus espionage intrusions against telecoms have resulted in the theft of call data records, unencrypted SMS messages, and the compromise and abuse of lawful intercept systems.”
Chinese cyberespionage groups have consistently prioritized telecommunications as a target precisely because of the access their networks provide to sensitive communications and lawful intercept infrastructure.
“When telecom firms and government agencies are in the blast radius, the stakes go beyond one company’s incident report,” Costis said. “Access to telecom environments can enable broad intelligence collection, help map relationships, and create opportunities for long-term monitoring that is hard to unravel once compromised.”
To dismantle the operation, GTIG terminated all Google Cloud projects controlled by the attackers, disabled their accounts, revoked Google Sheets API access, and sinkholed current and historical C2 domains. It said it has also notified affected organizations and published indicators of compromise through Google Threat Intelligence, including IP addresses, domains, and file hashes tied to UNC2814.
No Responses