Google Threat Intelligence Group (GTIG) and Mandiant have disrupted a massive global espionage campaign orchestrated by UNC2814, a suspected PRC-nexus threat actor. Active since at least 2017, the group targeted telecommunications and government sectors across more than 70 nations. The disruption involved terminating attacker-controlled Google Cloud Projects, disabling command-and-control (C2) infrastructure, and revoking access to Google Sheets APIs used for malicious communication.
The campaign featured the "GRIDTIDE" backdoor, a sophisticated C-based malware that leverages Google Sheets as a high-availability C2 platform. By abusing legitimate API functionality, the actor disguised malicious traffic as benign cloud activity, effectively evading standard network defenses. The malware uses a specific cell-based polling mechanism for tasking, data exfiltration, and host reconnaissance, employing AES-128 encryption and custom Base64 encoding to maintain stealth during its operations.
Top comments (0)