top of page
Search

Google GTIG Disrupts China-Linked APT UNC2814, Halting Attacks on 53 Orgs in 42 Countries

  • Feb 27
  • 2 min read

Key Findings:


  • Google Threat Intelligence Group (GTIG), Mandiant, and partners disrupted a global espionage campaign by UNC2814, a suspected China-linked cyber espionage group

  • UNC2814 had breached at least 53 organizations across 42 countries, primarily targeting telecommunications and government sectors

  • The group used a novel backdoor called GRIDTIDE that leveraged legitimate Google Sheets API functions for command-and-control

  • GTIG took coordinated action to disrupt UNC2814's infrastructure, terminate attacker-controlled accounts and cloud projects, and revoke access to the Google Sheets API


Background


UNC2814 is a suspected China-linked cyber espionage group that has been active since at least 2017. The group has targeted a wide range of organizations, predominantly in the telecommunications and government sectors, across Africa, Asia, and the Americas.


GRIDTIDE Backdoor


  • GRIDTIDE is a sophisticated C-based backdoor used by UNC2814 to execute shell commands, upload and download files

  • The malware uses Google Sheets as a command-and-control (C2) channel, hiding malicious traffic within legitimate API requests

  • GRIDTIDE requires a 16-byte cryptographic key on the host to decrypt its Google Drive configuration, which contains service account credentials, spreadsheet IDs, and private keys

  • The backdoor sanitizes the Google Sheet before use, deleting the first 1000 rows across columns A to Z to prevent previous commands or data from interfering


Disruption Efforts


  • GTIG and partners terminated all attacker-controlled Google Cloud Projects and accounts, disabling GRIDTIDE backdoor access

  • Known UNC2814 infrastructure, including current and historical domains, was taken down

  • Attacker accounts and Google Sheets API access were revoked, and victim organizations were formally notified and supported

  • GTIG refined detection signatures to block GRIDTIDE activity and released indicators of compromise (IOCs) used by UNC2814 since 2023


Impact


  • UNC2814's global operations were disrupted, halting attacks on at least 53 organizations across 42 countries

  • The group's use of legitimate cloud services for command-and-control highlights the evolving tactics of sophisticated threat actors

  • GTIG's coordinated efforts with industry partners effectively dismantled UNC2814's infrastructure and protected affected organizations


Sources


  • https://securityaffairs.com/188521/apt/google-gtig-disrupted-china-linked-apt-unc2814-halting-attacks-on-53-orgs-in-42-countries.html

  • https://www.linkedin.com/posts/dlross_google-gtig-disrupted-china-linked-apt-unc2814-activity-7432933749937545216-d5UR

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page