{"id":15871,"date":"2026-02-26T11:21:01","date_gmt":"2026-02-26T11:21:01","guid":{"rendered":"https:\/\/newestek.com\/?p=15871"},"modified":"2026-02-26T11:21:01","modified_gmt":"2026-02-26T11:21:01","slug":"china-linked-hackers-used-google-sheets-to-spy-on-telecoms-and-governments-across-42-countries","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15871","title":{"rendered":"China-linked hackers used Google Sheets to spy on telecoms and governments across 42 countries"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Google has disrupted a China-linked espionage group that used Google\u2019s spreadsheet application as a covert spy tool to compromise telecom providers and government agencies across 42 countries, sending commands and receiving stolen data through it, Google\u2019s Threat Intelligence Group (GTIG) said on Thursday.<\/p>\n

Working with Mandiant, GTIG confirmed intrusions at 53 organizations across 42 countries, with suspected infections in at least 20 more. The group, identified by Google as UNC2814, is a suspected PRC-nexus actor that GTIG has tracked since 2017.<\/p>\n

\u201cThis prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas,\u201d GTIG said in a blog post<\/a>.<\/p>\n

Unlike Salt Typhoon<\/a>, UNC2814, the China-linked group whose intrusions into US telecom carriers drew scrutiny from Congress and federal regulators last year, operates with distinct tactics and targets a different set of victims globally, the post added.<\/p>\n

How UNC2814 gains its initial foothold has not been determined, though GTIG said the group has a history of exploiting and compromising web servers and edge systems. Once inside, it deployed a novel backdoor and maintained persistent access across target networks. <\/strong><\/strong><\/p>\n

A spreadsheet repurposed as a spy tool<\/h2>\n

That backdoor, which GTIG named GRIDTIDE, did not communicate the way most malware does. \u201cThe backdoor leverages Google Sheets as a high-availability C2 platform, treating the spreadsheet not as a document, but as a communication channel to facilitate the transfer of raw data and shell commands,\u201d GTIG said.<\/p>\n

The attackers wrote commands into spreadsheet cells and retrieved stolen data from them the same way. The malware polled the sheet every second for new instructions, wrote status updates back on task completion, and wiped the first 1,000 rows at the start of each session to erase traces of prior activity, the blog post explained.<\/p>\n

\u201cThis activity is not the result of a security vulnerability in Google\u2019s products; rather, it abuses legitimate Google Sheets API functionality to disguise C2 traffic,\u201d GTIG added.<\/p>\n

\u201cThe most unsettling detail about the GRIDTIDE backdoor is how it abuses legitimate Google Sheets API calls to function as its C2 channel, while still utilizing techniques like \u2018living off the land\u2019 to blend in with regular enterprise activities,\u201d Andrew Costis, manager of the Adversary Research Team at AttackIQ, said. \u201cThis camouflage buys attackers time by slipping past the triggers defenders rely on, like obvious malware signatures or noisy beaconing, and hiding inside the same cloud app patterns teams are used to seeing.\u201d<\/p>\n

How Mandiant found it<\/h2>\n

The campaign came to light during a Mandiant Threat Defense investigation, when analysts flagged unusual activity on a CentOS server. A binary named xapt, designed to masquerade as the apt package manager on Debian-based Linux systems, had already escalated to root and was running shell commands to confirm its access level, GTIG said.<\/p>\n

The attacker had the highest available privileges on the system before the alert was raised.<\/p>\n

From that foothold, the threat actor used a service account to move laterally via SSH, deployed living-off-the-land binaries for reconnaissance, and installed GRIDTIDE as a persistent systemd service to survive reboots. The threat actor also deployed SoftEther VPN Bridge to maintain an encrypted outbound channel.<\/p>\n

\u201cVPN configuration metadata suggests UNC2814 has been leveraging this specific infrastructure since July 2018,\u201d GTIG said.<\/p>\n

The extent of that access became clear when investigators examined what the attackers were targeting.<\/p>\n

The real target was individuals<\/h2>\n

The attackers planted GRIDTIDE on endpoints that held personally identifiable information, including full names, phone numbers, dates of birth, voter IDs, and national ID numbers. <\/p>\n

\u201cWe assess the targeting of PII in this engagement is consistent with cyber espionage activity in telecommunications, which is primarily leveraged to identify, track, and monitor persons of interest,\u201d GTIG said in the post.<\/p>\n

GTIG did not directly observe exfiltration during this campaign, but noted that \u201chistorical PRC-nexus espionage intrusions against telecoms have resulted in the theft of call data records, unencrypted SMS messages, and the compromise and abuse of lawful intercept systems.\u201d<\/p>\n

Chinese cyberespionage groups have consistently prioritized telecommunications<\/a> as a target precisely because of the access their networks provide to sensitive communications and lawful intercept infrastructure.<\/p>\n

\u201cWhen telecom firms and government agencies are in the blast radius, the stakes go beyond one company\u2019s incident report,\u201d Costis said. \u201cAccess to telecom environments can enable broad intelligence collection, help map relationships, and create opportunities for long-term monitoring that is hard to unravel once compromised.\u201d<\/p>\n

To dismantle the operation, GTIG terminated all Google Cloud projects controlled by the attackers, disabled their accounts, revoked Google Sheets API access, and sinkholed current and historical C2 domains. It said it has also notified affected organizations and published indicators of compromise through Google Threat Intelligence, including IP addresses, domains, and file hashes tied to UNC2814.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Google has disrupted a China-linked espionage group that used Google\u2019s spreadsheet application as a covert spy tool to compromise telecom providers and government agencies across 42 countries, sending commands and receiving stolen data through it, Google\u2019s Threat Intelligence Group (GTIG) said on Thursday. Working with Mandiant, GTIG confirmed intrusions at 53 organizations across 42 countries, with suspected infections in at least 20 more. The group,… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15871","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15871","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15871"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15871\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15871"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15871"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15871"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}