Google disrupts Сhina-linked cyberespionage campaign spanning dozens of countries

Steven

Google disrupts Сhina-linked cyberespionage campaign spanning dozens of countries

Summary

Google Threat Intelligence says it disrupted a long-running China-linked cyberespionage campaign attributed to a group tracked as UNC2814. The operation targeted telecommunications providers and government organisations across at least 53 organisations in 42 countries and has been active since at least 2017. Attackers used a newly identified backdoor called Gridtide and abused Google Sheets functionality to conceal command-and-control communications, allowing malicious traffic to blend with normal cloud activity. Google did not directly observe widespread data exfiltration during the takedown, but Gridtide was installed on systems containing sensitive personal information in at least one instance. Google, Mandiant and other partners identified and disabled known UNC2814 infrastructure, although they expect the actor to try to re-establish its presence.

Key Points

  • UNC2814 (Gridtide) targeted telcos and government organisations across 42 countries, affecting at least 53 victims.
  • Attackers used a novel backdoor (Gridtide) and abused Google Sheets for command-and-control to hide malicious traffic.
  • The activity dates back to at least 2017 — Google calls the scope the result of a decade of concentrated effort.
  • Google, Mandiant and partners disabled known infrastructure but expect the actor will attempt to return.
  • No direct observation of mass data theft during the disruption, but malware was found on systems holding sensitive personal data.
  • Google says UNC2814 is distinct from other Chinese-linked groups such as Salt Typhoon.

Why should I read this?

Short version: if you care about telecoms security, national infrastructure or cloud‑app misuse, this matters. Attackers are hiding C2 in plain sight — spreadsheets — and targeting the bits of the network that let them track people and intercept comms. We read the detail so you don’t have to; it’s worth a quick look if you want to stay ahead of evolving espionage tradecraft.

Context and relevance

The takedown underscores a broader trend: nation-state actors persistently target telecommunications because it grants rich intelligence (call data, SMS, lawful intercept). Using legitimate cloud services for C2 complicates detection and highlights the need for better monitoring of SaaS behaviour and hardened web-facing infrastructure. The disruption is important and timely, but defenders should assume the actor will regroup and adapt.

Author style

Punchy: This is a high-stakes intrusion with immediate defensive implications — timely intelligence that telecoms, government IT teams and security ops should act on.

Source

Source: https://therecord.media/china-cyber-espionage-google-disrupt