Google Dismantles UNC2814’s Global Espionage Network Fueled by Google Sheets
Do Son 
GRIDTIDE execution lifecycle
A massive, years-long cyber espionage campaign has been successfully dismantled. Recently, a coordinated effort led by the Google Threat Intelligence Group (GTIG), Mandiant, and several industry partners disrupted the operations of UNC2814—a suspected China-nexus hacking group that has been quietly infiltrating networks worldwide since at least 2017.
By the time the plug was pulled, the group had confirmed intrusions in 42 countries, targeting the very backbone of modern society: international governments and global telecommunications organizations across Africa, Asia, and the Americas.
What made UNC2814 so elusive was its brilliant, yet chilling, method of staying hidden. Instead of building complex, custom-made command centers that security software is trained to spot, the hackers hid their malicious activities in plain sight. They used everyday Software-as-a-Service (SaaS) applications—specifically Google Sheets—to communicate with their malware and send commands to infected systems.
As the official report notes, “Rather than abusing a weakness or security flaw, attackers rely on cloud-hosted products to function correctly and make their malicious traffic seem legitimate.”
By disguising their digital footprints as normal, everyday business traffic flowing to familiar cloud services, the attackers were able to bypass standard security alarms and maintain persistent access to highly sensitive environments for years.
Disrupting a network of this scale required a sweeping, multi-pronged counterattack. The joint task force didn’t just block a few IP addresses; they systematically dismantled the group’s entire operational playbook. The disruption actions included:
-
Severing the Connection: The team terminated all Google Cloud Projects controlled by the attackers, instantly cutting off their access to the compromised environments.
-
Revoking Access: Attacker accounts were disabled, and their ability to use the Google Sheets API for command-and-control communication was completely revoked.
-
Sinkholing Domains: Both current and historical web domains used by the group were “sinkholed” (redirected away from the attackers), crippling their infrastructure.
-
Equipping Defenders: GTIG and its partners released specialized detection signatures and Indicators of Compromise (IOCs) to the public, allowing organizations worldwide to check their own networks for the novel “GRIDTIDE” backdoor used in the campaign.
Additionally, the response team has been actively issuing formal notifications to victims and providing hands-on support to organizations recovering from the breaches.
“The global scope of UNC2814’s activity, evidenced by confirmed or suspected operations in over 70 countries, underscores the serious threat facing telecommunications and government sectors, and the capacity for these intrusions to evade detection by defenders,” the report concludes.
Building an espionage network of this magnitude takes incredible resources and time. While the attackers have been severely set back, the intelligence community knows the battle is far from over. As the report warns, “Prolific intrusions of this scale are generally the result of years of focused effort and will not be easily re-established. We expect that UNC2814 will work hard to re-establish their global footprint.”
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
