Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries

Key Findings

• Google, in collaboration with industry partners, disrupted the infrastructure of the suspected China-nexus cyber espionage group UNC2814

• UNC2814 breached at least 53 organizations across 42 countries in the Americas, Asia, and Africa

• The threat actor may have targeted at least 20 additional countries

• UNC2814 used a novel backdoor called GRIDTIDE that abuses Google Sheets API for command-and-control (C2) purposes

• The group targeted organizations, particularly telecoms and governments, to monitor individuals of interest

Background

UNC2814 has been active since at least 2017 and has been described as one of the "most far-reaching, impactful campaigns" encountered in recent years. The threat actor has a history of targeting international governments and global telecommunications organizations.

Tactics, Techniques, and Procedures (TTPs)

• UNC2814 used API calls to communicate with software-as-a-service (SaaS) apps as command-and-control (C2) infrastructure to disguise their malicious traffic as benign

• The group leveraged a novel backdoor dubbed GRIDTIDE that abuses the Google Sheets API as a communication channel

• GRIDTIDE supports file upload/download and the execution of arbitrary shell commands

• The group used living-off-the-land (LotL) binaries for reconnaissance, privilege escalation, and persistence

• UNC2814 deployed SoftEther VPN Bridge to establish encrypted outbound connections

Disruption Efforts

• Google terminated all Google Cloud Projects controlled by the attacker, disabled known UNC2814 infrastructure, and cut off access to attacker-controlled accounts and Google Sheets API calls

• Victim notifications were issued, and organizations with verified compromises are receiving active support

• IoCs were released to help organizations detect GRIDTIDE and other UNC2814 activity

Impact and Outlook

• The global scope of UNC2814's activity, spanning over 70 countries, underscores the serious threat facing the telecommunications and government sectors

• Google expects UNC2814 will work to re-establish its global footprint, but the disruption will significantly set back the group's efforts

Sources

• https://thehackernews.com/2026/02/google-disrupts-unc2814-gridtide.html

• https://www.securityweek.com/google-disrupts-chinese-cyberespionage-campaign-targeting-telecoms-governments/amp/