- Google, Mandiant and partners disrupted the UNC2814 espionage campaign
- Group used GridTide backdoor leveraging the Google Sheets API for C2
- Operation affected 53 organizations in 42 countries since 2023; hacker infrastructure and accounts disabled
Google has managed to take down a global espionage network that targeted government and telecommunications organizations in more than 40 countries around the world.
In a new research report, Google said its Threat Intelligence Group (GTIG), along with Mandiant and other partners, discovered a Chinese state-linked threat actor tracked as UNC2814 running a new espionage campaign.
In this latest campaign, the group deployed a previously unseen backdoor malware called GridTide, which exploited the Google Sheets API for C2 infrastructure. Instead of connecting to a remote server somewhere to receive instructions and exfiltrate data, the backdoor sends HTTPS requests to legitimate Google infrastructure, mixing with normal corporate traffic and thus raising no alarms.
To disrupt the attackers
All the commands are stored in a spreadsheet cell in a document belonging to the attackers. The operators insert coded instructions into specific rows or cells, and the malware checks, decodes, and then periodically executes them.
In some cases, exfiltrated data can also be written back into the sheet – however, GTIG said it did not observe any instances of data exfiltration.
UNC2814 is a relatively well-known threat actor, with reports of its activity dating back to 2017 and possibly earlier.
The campaign started in 2023 and affected at least 53 organizations in 42 countries. Google suspects that UNC2814 is present in at least 20 more countries. Most of Latin America, Eastern Europe, Russia, parts of Africa and parts of South Asia appear to have been affected. With the exception of Portugal, Western Europe is mostly unscathed. The US was not touched either.
As part of the disruption effort, Google terminated all Google Cloud projects controlled by the attackers and cut off their continued access to environments compromised by GridTide. They identified and disabled all known UNC2814 infrastructure, disabled attacker accounts, and revoked access to the Google Sheets API calls. Finally, it released a set of IoCs tied to UNC2814 infrastructure that have been active since at least 2023.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
