Google has dismantled a sophisticated, decade-long cyber espionage operation orchestrated by a suspected Chinese state-linked hacking group. This operation, dubbed UNC2814, successfully breached 53 telecom and government entities across 42 countries, operating with remarkable stealth by leveraging Google Sheets for command and control. Google Threat Intelligence Group (GTIG) and Mandiant’s coordinated action has effectively severed the group’s persistent access and provided critical threat intelligence to aid affected organizations.
The extensive scope of this campaign highlights nearly ten years of targeted effort against sensitive global communication infrastructures. The investigation, which began monitoring the group in 2017, confirmed the widespread impact by February 2026, with suspected infections reaching at least 20 additional nations across Africa, Asia, and the Americas. This discovery underscores the persistent threat posed by advanced persistent threats (APTs) operating with significant resources.
GRIDTIDE: The Stealthy Backdoor Exploiting Cloud Infrastructure
At the heart of UNC2814’s operation was a previously undocumented backdoor named GRIDTIDE. This malware distinguished itself by eschewing dedicated command servers, instead routing its communications through Google Sheets. By treating spreadsheet cells as a live messaging channel, GRIDTIDE disguised its malicious traffic as routine cloud activity, making it exceptionally difficult for conventional network defenses to detect. This innovative approach to command and control (C2) allowed the attackers to maintain a low profile for an extended period.
Google Cloud analysts first identified GRIDTIDE following a Mandiant Threat Defense investigation that flagged suspicious behavior on a customer’s CentOS Linux server. A detection alert revealed a binary named /var/tmp/xapt, deliberately crafted to mimic a common system tool, which had obtained root-level privileges and was executing commands to confirm complete machine control. The binary’s name choice, intending to impersonate the legacy package management utility found in Debian-based Linux systems, exemplifies the group’s methodical approach to evading detection.
While the precise initial access vector remains unconfirmed, UNC2814 has a documented history of compromising internet-facing web servers and edge network devices. Once inside a network, the group employed a technique known as “living off the land,” utilizing legitimate built-in system tools for lateral movement. This strategy minimized the introduction of new software that could trigger security alerts. The targeted systems frequently held sensitive personally identifiable information, including names, phone numbers, national ID numbers, and voter registration records, aligning with known intelligence-collection priorities of the People’s Republic of China (PRC).
GRIDTIDE’s Persistence and Command-and-Control Mechanisms
Following initial access, UNC2814 ensured GRIDTIDE’s persistence by registering a systemd service at /etc/systemd/system/xapt.service. The malware was configured to run via the nohup command, guaranteeing its continued operation even after the attacker’s session had concluded. As a supplementary communication channel, the group deployed SoftEther VPN Bridge, establishing an encrypted outbound tunnel to external infrastructure that metadata suggests has been active since July 2018. This multi-layered approach enhanced their resilience and operational security.
GRIDTIDE, a C-based backdoor, possesses the capability to execute shell commands, upload files to compromised hosts, and exfiltrate data. It utilizes a 16-byte AES-128 encryption key to decrypt its Google Drive configuration, which contains the necessary service account credentials and Spreadsheet ID for C2 access. Upon establishing a connection, the malware clears the first 1,000 rows of the targeted spreadsheet, fingerprints the victim machine by collecting its hostname, OS version, local IP, and time zone, and then stores this data in cell V1. Commands are received via cell A1, and results are transmitted back through a defined cell range. All communication traffic is encoded in URL-safe Base64 to circumvent web filters and network inspection tools.
Organizations are advised to monitor outbound HTTPS connections to Google Sheets API endpoints, particularly requests involving batchClear, batchUpdate, and valueRenderOption=FORMULA, originating from non-browser processes. Security teams should also scrutinize Linux servers for systemd services located in unconventional directories, binaries executing from /var/tmp/, and the presence of SoftEther VPN components. Applying the GTIG-published YARA rule for GRIDTIDE and cross-referencing the released Indicators of Compromise (IOC) list with internal logs will assist in identifying any residual exposure from this extensive campaign.