Google Threat Intelligence Group (GTIG) and Mandiant have disclosed details regarding the disruption of a global espionage campaign orchestrated by UNC2814, a threat actor linked to the People's Republic of China. This campaign targeted telecommunications and government organizations across 42 countries, utilizing a novel backdoor known as GRIDTIDE. The malware is notable for its use of the Google Sheets API as a command-and-control (C2) infrastructure, allowing malicious traffic to blend in with legitimate cloud service communications.
GRIDTIDE is a C-based backdoor that enables arbitrary shell command execution and file manipulation. It employs a cell-based polling mechanism within Google Spreadsheets to receive instructions and exfiltrate data, including sensitive personally identifiable information (PII). In response to this activity, Google has terminated associated Cloud Projects, disabled attacker-controlled infrastructure, and released a comprehensive set of indicators of compromise (IOCs) and YARA rules to assist defenders in identifying and neutralizing this persistent threat.
Top comments (0)