A Spreadsheet Was the Weapon
Google just disrupted one of the most sophisticated state-sponsored espionage campaigns ever documented — and the command-and-control channel was Google Sheets.
UNC2814, a suspected China-nexus threat actor tracked by Google's Threat Intelligence Group (GTIG) since 2017, compromised 53 organizations across 42 countries using a novel C-based backdoor called GridTide that communicates entirely through Google Sheets API calls.
No suspicious domains. No hardcoded IPs. No C2 beacons to block. Just normal-looking Google API traffic that blended perfectly with every other cloud application in your environment.
Why Google Sheets Is a Brilliant C2 Channel
Traditional C2 infrastructure has a weakness: defenders can block it. Domain takedowns, IP blacklists, DNS sinkholes — all standard countermeasures that force attackers to constantly rotate infrastructure.
Google Sheets eliminates all of these problems:
-
Traffic goes to
sheets.googleapis.com— a domain you cannot block without breaking Google Workspace - TLS-encrypted by default — content inspection sees only API calls to Google
- No infrastructure to seize — Google Sheets is Google's infrastructure
- Free and anonymous — attacker creates a Google account, creates a spreadsheet, done
- API rate limits are generous — 300 requests per minute per project
- Blends with legitimate traffic — thousands of applications use Google Sheets API daily
This is the ultimate living-off-the-land technique applied to C2 infrastructure.
GridTide: Technical Deep Dive
Architecture
GridTide is a C-based backdoor — not Python, not PowerShell, not a script. Compiled C for maximum stealth and minimal dependencies on the target system.
Capabilities:
- Execute arbitrary shell commands
- Upload files from victim to attacker
- Download files from attacker to victim
- System reconnaissance and fingerprinting
The Spreadsheet C2 Protocol
GridTide uses a cell-based polling system where specific cells in a Google Sheet serve defined roles:
| Cell | Function |
|---|---|
| A1 | Command channel — attacker writes commands, backdoor overwrites with status (e.g., S-C-R = Server-Command-Received) |
| A2-An | Data transfer — command output, exfiltrated files, payload delivery |
| V1 | Victim fingerprint — system data from compromised endpoint |
Communication flow:
Attacker writes command to Cell A1
↓
GridTide polls A1 via Google Sheets API (every N seconds)
↓
GridTide reads command, executes locally
↓
GridTide writes output to cells A2-An
↓
GridTide overwrites A1 with "S-C-R" (success status)
↓
Attacker reads output from A2-An
This is bidirectional communication through a spreadsheet. The polling interval makes it look like a SaaS application checking for updates — completely normal traffic.
Persistence on Linux
GridTide establishes persistence through systemd services:
/etc/systemd/system/xapt.service → launches /usr/sbin/xapt (GridTide binary)
Additional persistence mechanisms:
- SoftEther VPN Bridge deployed for encrypted outbound connections
- SSH lateral movement using harvested service account credentials
- Living-off-the-land binaries (LOLBins) for reconnaissance and privilege escalation
Campaign Scope: 53 Victims, 42 Countries
Geographic Distribution
- Africa — government ministries, telecom operators
- Asia — telecommunications companies, state agencies
- Americas — government networks, critical infrastructure
- Suspected infections in 20+ additional countries (70+ total)
Target Sectors
- Telecommunications — access to call data records, SMS metadata, subscriber information
- Government — diplomatic communications, policy intelligence
- Critical infrastructure — strategic positioning for future operations
Operational Timeline
| Date | Event |
|---|---|
| ~2017 | GTIG begins tracking UNC2814 |
| 2017-2025 | Sustained espionage campaign across 42+ countries |
| Feb 18, 2026 | GTIG confirms 53 victims, suspected 70+ countries |
| Feb 25, 2026 | Google disrupts campaign infrastructure |
| Feb 26, 2026 | Public disclosure |
Many compromised organizations were breached for years before discovery.
MITRE ATT&CK Mapping
| Technique | ID | GridTide Usage |
|---|---|---|
| Exploit Public-Facing Application | T1190 | Web server/edge device exploitation for initial access |
| Command and Scripting Interpreter | T1059 | Arbitrary shell command execution |
| System Services: Service Execution | T1569.002 | Systemd service for persistence |
| Create or Modify System Process | T1543.002 |
xapt.service creation |
| Web Service: Bidirectional Communication | T1102.002 | Google Sheets API as C2 |
| Application Layer Protocol | T1071.001 | HTTPS to googleapis.com |
| Exfiltration Over C2 Channel | T1041 | File upload via Sheets cells |
| Data from Local System | T1005 | Local file collection |
| Account Manipulation | T1098 | Service account credential harvesting |
| Remote Services: SSH | T1021.004 | Lateral movement via SSH |
Detection: Finding GridTide in Your Network
1. Google Sheets API Anomaly Detection
title: Suspicious Google Sheets API Access from Non-Browser Process
status: experimental
logsource:
category: proxy
product: any
detection:
selection:
dst_host: 'sheets.googleapis.com'
filter_browsers:
process_name:
- 'chrome.exe'
- 'msedge.exe'
- 'firefox.exe'
- 'brave.exe'
filter_legitimate:
process_name:
- 'python.exe'
- 'node.exe'
- 'java.exe'
condition: selection and not filter_browsers and not filter_legitimate
level: high
2. Linux Persistence Detection
# Hunt for suspicious systemd services
find /etc/systemd/system/ -name '*.service' -newer /etc/systemd/system/multi-user.target -exec grep -l 'ExecStart=/usr/sbin' {} \;
# Check for GridTide-specific indicators
ls -la /usr/sbin/xapt 2>/dev/null && echo "ALERT: GridTide indicator found!"
# Audit recently created services
systemctl list-unit-files --type=service --state=enabled | grep -v -E '(ssh|cron|rsyslog|systemd|network|dbus)'
3. Network Detection (KQL)
CommonSecurityLog
| where DeviceAction == "Allow"
| where DestinationHostName == "sheets.googleapis.com"
| where SourceUserName !in ("service-account", "automation")
| summarize RequestCount = count(), DistinctHours = dcount(bin(TimeGenerated, 1h)) by SourceIP, SourceUserName
| where RequestCount > 100 and DistinctHours > 12
| sort by RequestCount desc
4. SoftEther VPN Detection
GridTide deployments often include SoftEther VPN Bridge:
title: SoftEther VPN Bridge Installation
status: experimental
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains:
- 'vpnbridge'
- 'vpnserver'
- 'softether'
CommandLine|contains:
- 'vpncmd'
- 'vpnbridge'
condition: selection
level: critical
5. SSH Lateral Movement Audit
# Find SSH connections from service accounts
grep -r "Accepted" /var/log/auth.log | grep -v "root" | awk '{print $9, $11}' | sort | uniq -c | sort -rn
# Check authorized_keys for recently added keys
find /home -name authorized_keys -newer /etc/passwd -exec echo "ALERT: {}" \; -exec cat {} \;
Not Salt Typhoon — But Just as Dangerous
Google explicitly stated UNC2814 shows "no observed overlaps with activity publicly reported as Salt Typhoon" — the Chinese group that breached major US telecoms in 2024-2025.
This means China is running at least two independent telecom espionage operations simultaneously. Different teams, different tools, different infrastructure — but the same strategic objective: access to communications metadata for intelligence collection.
Google's Disruption Actions
- Terminated all attacker-controlled Google Cloud Projects
- Disabled compromised accounts
- Revoked Google Sheets API access used for C2
- Sinkholed current and historical C2 domains
- Notified all 53 confirmed victims
- Provided remediation support
But disruption is not elimination. The threat actor has been active since 2017. They will rebuild.
What You Should Do Now
Audit Google Sheets API access in your environment. If non-browser processes are making Sheets API calls on servers, investigate immediately.
Check Linux servers for unknown systemd services. Any service you can't explain is a potential backdoor.
Hunt for SoftEther VPN components. This is not a common enterprise tool — its presence on a server is highly suspicious.
Review SSH authorized_keys across all service accounts. Attackers used harvested credentials for lateral movement.
Monitor googleapis.com traffic patterns. Regular polling intervals from server processes (not browsers) indicate automated C2 communication.
When your C2 channel is a Google spreadsheet, every firewall rule is irrelevant. The perimeter didn't fail — it was never designed for this.
Need help hunting for cloud-based C2 in your network? Request a free penetration test at theinsider-x.com — currently in open beta.
Sources: Google GTIG, The Hacker News, Infosecurity Magazine, The Register, CSO Online, Security Affairs
MITRE ATT&CK: T1102.002, T1071.001, T1190, T1543.002, T1059, T1041, T1021.004, T1005
Top comments (0)