Google catches Beijing spies using Sheets to spread espionage across 4 continents

Steven

Google catches Beijing spies using Sheets to spread espionage across 4 continents

Summary

Google’s Threat Intelligence Group (GTIG), working with unnamed industry partners, disrupted a China-linked espionage crew tracked as UNC2814. The group abused legitimate Google Sheets API functionality — a backdoor dubbed “Gridtide” — as a command-and-control (C2) channel to run shell commands, move files and control compromised systems. GTIG terminated the attackers’ Google Cloud projects, disabled infrastructure and revoked the Sheets API access used by the intruders.

Key Points

  • GTIG attributes the campaign to UNC2814, a cluster it has tracked since 2017.
  • As of 18 Feb, investigators found 53 confirmed victims in 42 countries across four continents, with suspected infections in at least 20 more countries.
  • The attackers used a C-based backdoor called Gridtide that leverages the Google Sheets API for covert C2 traffic.
  • The initial foothold method for this campaign is unknown; historically UNC2814 exploits web servers and edge systems to gain access.
  • Post-compromise activity included SSH lateral movement, privilege escalation, deployment of a payload named “xapt” and use of SoftEther VPN Bridge for outbound encrypted tunnels.
  • Investigators observed PII on an infected endpoint (names, DOB, national IDs), though Google did not confirm observed data exfiltration in this case.
  • GTIG and partners revoked attacker-controlled Cloud projects and Sheets API calls, and are supporting notified victims.

Content summary

Mandiant spotted suspicious activity in a customer environment that led GTIG to uncover a global espionage campaign. The intruders deployed a binary called “/var/tmp/xapt” which escalated to root and launched Gridtide using a “nohup ./xapt” command so it would persist after sessions closed. Gridtide communicates with attacker-controlled Google Sheets to receive commands and exfiltrate or stage files. VPN configuration indicates parts of the infrastructure date back to mid-2018. GTIG disabled the relevant Google Cloud Projects and accounts and revoked the Sheets API calls the attackers used for C2.

Context and relevance

This campaign shows a trend where sophisticated threat actors repurpose trusted cloud services and collaboration tools as covert C2 channels to blend in with normal traffic. Telecoms and government organisations — traditional UNC2814 targets — remain high-value for surveillance and intelligence gathering. The discovery follows other China-linked intrusions against telcos and critical infrastructure, underlining persistent espionage risk to the sector.

Why should I read this?

Because it’s a neat, worrying bit of tradecraft — the attackers used Google Sheets as a stealthy control channel. If you run or defend telco, government or cloud-connected systems, this story matters: it shows how attackers hide in plain sight using everyday SaaS tools and why API and cloud-project hygiene plus tight monitoring are now essential. We’ve skimmed the technical bits so you can get the what, why and what to watch for — quickly.

Author style

Punchy: this is important. If you work in incident response, security ops, or manage critical networks, read the detail — the techniques used here could apply to your environment and demand immediate mitigation steps.

Source

Source: https://www.theregister.com/2026/02/25/google_and_friends_disrupt_unc2814/