What Happened

Google Threat Intelligence Group (GTIG) and Mandiant have disrupted a decade-long cyber espionage campaign conducted by UNC2814, a suspected China-nexus threat actor. The operation, tracked since 2017, breached at least 53 organizations across 42 countries, primarily targeting telecommunications providers and government agencies in Africa, Asia, and the Americas.

The campaign, dubbed GRIDTIDE, represents a sophisticated evolution in nation-state cyber operations. Attackers deployed a novel C-based backdoor that abused the Google Sheets API as a command-and-control (C2) channel, disguising malicious traffic as legitimate Google platform activity. According to BleepingComputer, the threat actor is suspected of operating across more than 70 countries spanning four continents.

Google's disruption, executed in late February 2026, disabled all attacker-controlled infrastructure, terminated malicious cloud projects, and revoked API access. However, security experts expect UNC2814 to re-establish operations with new infrastructure.

Technical Details

The GRIDTIDE malware demonstrates a concerning trend: exploiting trusted SaaS platforms to evade traditional network-based detection. Rather than exploiting vulnerabilities in Google products, the attackers abused legitimate API functionality.

How the Google Sheets C2 Worked

The backdoor communicated with attacker-controlled Google Sheets spreadsheets using the public Google Sheets API. According to Google's technical analysis, the malware checked cell A1 for commands—such as shell commands or file transfer instructions—then overwrote it with status reports. Adjacent cells handled tool transfers and data exfiltration.

This technique made malicious traffic indistinguishable from normal business use of Google services. Firewalls and proxy servers saw legitimate HTTPS connections to Google's infrastructure, not suspicious C2 communications.

Persistence and Capabilities

Once deployed, GRIDTIDE established persistence by installing itself as /usr/sbin/xapt with a corresponding systemd service at /etc/systemd/system/xapt.service. Cybersecurity Dive reports that the malware supported:

  • Arbitrary shell command execution
  • File upload and download capabilities
  • Reconnaissance using living-off-the-land (LotL) binaries
  • Privilege escalation techniques
  • Lateral movement via SSH using compromised service accounts

The attackers also deployed SoftEther VPN Bridge for encrypted outbound connections to external IPs—a tactic associated with other China-nexus threat groups.

Target Profile

UNC2814 focused on telecommunications providers and government agencies, specifically targeting endpoints containing personally identifiable information (PII). This access could enable surveillance of call records, SMS messages, and lawful intercept systems. SC Magazine notes that while no direct exfiltration was observed, the positioning was ideal for monitoring persons of interest.

Impact Assessment

The scope of this campaign is significant. With 53 confirmed breaches across 42 countries, and suspected activity in 70+ nations, UNC2814 operated at a global scale for nearly a decade. The primary victims—telecommunications providers and government agencies—represent critical infrastructure and sensitive government operations.

Importantly, Google confirms that GRIDTIDE is distinct from the Salt Typhoon campaign, indicating multiple China-nexus threat actors are independently targeting telecommunications infrastructure.

For affected organizations, the impact extends beyond immediate data theft. The presence of persistent backdoors in telecommunications networks could have enabled:

  • Long-term surveillance of targeted individuals
  • Access to call detail records and SMS content
  • Potential manipulation of lawful intercept systems
  • Intelligence gathering on government communications

What You Should Do

While Google has disrupted the known infrastructure, organizations—especially those in telecommunications and government—should take immediate action:

Immediate Steps

  1. Check for Indicators of Compromise (IoCs): Google has released detection rules and IoCs in their report. Look for the GRIDTIDE binary at /usr/sbin/xapt and the systemd service file.
  2. Audit Google Sheets API Usage: Review API access logs for unusual patterns, particularly automated access from unexpected sources or regions.
  3. Monitor Outbound Connections: Look for connections to SoftEther VPN endpoints or unexpected encrypted tunnels.
  4. Review Service Accounts: Audit SSH service accounts for unauthorized access or suspicious login patterns.

Longer-Term Defenses

  1. Implement API Access Controls: Restrict which applications and users can access SaaS APIs. Consider API gateways that can inspect and log API calls.
  2. Network Behavior Analytics: Traditional signature-based detection won't catch legitimate SaaS abuse. Deploy solutions that identify anomalous usage patterns.
  3. Zero Trust Architecture: Assume attackers can access your network. Implement microsegmentation and least-privilege access to limit lateral movement.
  4. Endpoint Detection and Response (EDR): Ensure EDR solutions can detect living-off-the-land techniques and unusual process behaviors.

Lessons Learned

The GRIDTIDE campaign highlights several critical shifts in the threat landscape:

Trusted Platforms Are Not Safe Harbors: Attackers increasingly abuse legitimate cloud services—Google Sheets, GitHub, Dropbox, and similar platforms—for C2 communications. Security tools that trust these services implicitly create blind spots.

Detection Must Evolve Beyond Signatures: When malicious traffic looks identical to legitimate business traffic, signature-based detection fails. Organizations need behavioral analytics and context-aware monitoring.

Nation-State Patience Is Remarkable: Operating since at least 2017, UNC2814 demonstrated sustained focus on strategic targets. This wasn't a smash-and-grab operation—it was patient, methodical espionage.

Disruption Is Temporary: Google's action is significant but likely temporary. UNC2814 will adapt, moving to new infrastructure and potentially new SaaS platforms. Organizations must maintain vigilance, not assume the threat has passed.

Telecoms Remain High-Value Targets: The concentration on telecommunications providers reflects their strategic value. These networks provide access to communications data, surveillance capabilities, and intelligence on government operations. If you work in telecom security, assume you're a priority target.

Resources