admin 
Google has disclosed a coordinated takedown of UNC2814, a suspected China-linked cyber-espionage group, after investigators tied it to intrusions at 53 organisations in 42 countries, with telecommunications providers and government bodies forming the core of the victim set. The campaign centred on a custom backdoor called GRIDTIDE, which used Google Sheets as a covert command-and-control channel, allowing malicious traffic to blend with ordinary cloud activity rather than exploiting a flaw in Google’s products.
The operation was made public on 25 and 26 February 2026 through disclosures from Reuters and Google Threat Intelligence Group, which said Google, Mandiant and partners had terminated attacker-controlled Google Cloud projects, disabled accounts used in the operation and moved to dismantle known infrastructure tied to the campaign. Google said the action followed a Mandiant investigation that accelerated understanding of the malware and the scope of the activity.
That chronology matters because some early characterisations of the campaign overstated or blurred its target base. Google’s published findings describe a group tracked since 2017, with confirmed intrusions in 42 countries and suspected infections in at least 20 more, not a narrower 14-country footprint. The company said the campaign chiefly targeted telecom operators and government organisations, while also stressing that it had seen no overlap with the separate “Salt Typhoon” activity that has drawn scrutiny elsewhere.
At the centre of the case is GRIDTIDE, a C-based backdoor designed for persistence, file transfer and remote shell access. Investigators said the malware authenticated to attacker-controlled spreadsheets through a Google service account, cleared old worksheet entries, profiled the infected host and then waited for commands placed into specific cells. By using legitimate API calls to Google Sheets, the operators could make their traffic look routine, a technique that fits a broader shift in espionage tradecraft towards “living off trusted services” instead of relying only on bespoke infrastructure.
Google said Mandiant first spotted the intrusion on a CentOS server after a detection flagged suspicious execution from /var/tmp/xapt, a binary that appeared to be named to resemble legitimate software. From there, the attackers used service accounts for lateral movement over SSH, deployed persistence through a systemd service and established an outbound connection using SoftEther VPN Bridge. Google said configuration metadata suggested some of the supporting infrastructure had been in use since July 2018, pointing to a long-running operational backbone even if the identified GRIDTIDE infrastructure was active from at least 2023.
The implications extend beyond one malware family. In one investigated case, Google said the attackers planted GRIDTIDE on an endpoint holding personally identifiable information including names, phone numbers, dates of birth, place of birth, voter ID numbers and national ID numbers. Google’s analysts assessed that such targeting aligned with telecom espionage aimed at identifying and monitoring persons of interest. Reuters, citing Google’s chief analyst John Hultquist, described the operation as a “vast surveillance apparatus used to spy on people and organisations throughout the world”.
That assessment echoes longstanding warnings from Western cyber agencies that China-linked operators often seek durable access to communications and network edge environments serving critical sectors. A February 2024 advisory from CISA, the NSA and the FBI warned that PRC-sponsored actors were compromising edge devices and maintaining persistence in critical infrastructure, while a September 2025 advisory said Chinese state-sponsored actors had targeted telecommunications and other sectors to maintain long-term access. Those alerts were not about UNC2814 specifically, but they help place Google’s findings in a wider pattern of strategic surveillance rather than smash-and-grab intrusion.
For defenders, the UNC2814 case underlines a stubborn weakness in enterprise and infrastructure security: the trust placed in ordinary cloud services and administrative tools. Because GRIDTIDE communicated through spreadsheet cells and standard API requests, network monitoring geared towards overt malware beacons could miss it. Google responded by publishing indicators of compromise and describing detection logic for suspicious Google Sheets API activity, shell execution from unusual paths and suspicious configuration files placed in sensitive directories.
