A large-scale cyber espionage operation attributed to the China-linked group UNC2814 has been disrupted by Google’s Threat Intelligence team, Mandiant, and partner organizations. The campaign stood out for its abuse of the Google Sheets API as a full-fledged command-and-control (C2) channel, allowing malicious traffic to blend seamlessly with legitimate cloud service requests.
UNC2814 cyber espionage against telecom and government networks
According to Google, UNC2814 has been conducting a targeted espionage campaign since 2023 against telecommunications providers and government entities across Africa, Asia, North America, and South America. At least 53 organizations in 42 countries were confirmed compromised, with indications of potential activity in more than 20 additional countries.
Focusing on telecom operators and public-sector networks is consistent with state-backed cyber espionage. Control over core network infrastructure and sensitive government systems enables attackers to intercept traffic, monitor communications, and access confidential information, including personal data, internal correspondence, and potentially classified material.
GRIDTIDE malware: Google Sheets as command-and-control infrastructure
How the GRIDTIDE backdoor operates
The centerpiece of the operation was a C-based backdoor dubbed GRIDTIDE. Its defining feature is the use of Google Sheets as the C2 infrastructure. The malware authenticated to Google using a Google Service Account with a hard-coded private key. Once connected, a seemingly ordinary spreadsheet effectively became the remote control panel for the compromised host.
On execution, GRIDTIDE wiped the contents of a designated spreadsheet, collected host information (system details, configuration, and environment data), and wrote this profile into cell V1. Cell A1 served as the main command cell: the malware repeatedly polled it for new instructions from operators. All data exchanged with the sheet was Base64-encoded, making network traffic appear similar to benign API interactions with Google services.
GRIDTIDE supported execution of arbitrary bash commands, uploading files to the victim, and data exfiltration. Command outputs and stolen data were stored in the cell range A2–An, allowing operators to manage the entire operation from within a standard online spreadsheet interface.
Command polling logic and stealthy C2 communications
When a command appeared in cell A1, GRIDTIDE executed it and then overwrote the cell with a status string, reducing the chance that a casual review of the spreadsheet would reveal malicious content. In the absence of commands, the malware performed up to 120 polling attempts at one-second intervals before switching to less frequent, randomized checks every 5–10 minutes, mimicking normal background cloud activity.
Abusing popular cloud platforms for C2 has become a notable trend in recent years. Traffic to major providers such as Google or Microsoft is typically allowed by corporate firewalls and treated as trusted, which complicates traditional signature- or domain-based blocking. Detecting such threats increasingly requires behavioral analytics, anomaly detection, and correlation of host and network telemetry rather than reliance on simple indicators of compromise.
TTPs of UNC2814: living off the land and SoftEther VPN Bridge
Beyond GRIDTIDE, UNC2814 extensively used living-off-the-land techniques: repurposing legitimate tools already present on the system—such as built-in Linux utilities—to carry out malicious actions. This approach minimizes the number of new files written to disk and makes activity resemble normal administrative work, which reduces detection likelihood.
Lateral movement across victim environments was primarily conducted over SSH, while persistence was maintained by registering malicious components as system services. In several cases, the attackers deployed SoftEther VPN Bridge, an open-source VPN solution previously observed in other China-attributed operations. This VPN bridge enabled resilient, covert tunnels into victim infrastructure, often bypassing perimeter defenses and traditional VPN monitoring.
In at least one incident, GRIDTIDE was found on a system that stored personal data. Although there is no confirmed evidence that this data was successfully exfiltrated, the presence of a backdoor on such systems significantly raises compliance, privacy, and regulatory risks for the affected organization.
Google’s disruption actions and lessons for enterprise defenders
To dismantle the operation, Google disabled all cloud projects associated with UNC2814, revoked their access to the Google Sheets API, and redirected related domains into a sinkhole—a controlled infrastructure that captures traffic from infected hosts. Sinkholing breaks the attacker’s control channel while enabling defenders to observe residual activity and identify victims. Impacted organizations were notified and offered support for incident response.
Google assesses UNC2814’s activity as one of the most extensive and effective cyber espionage campaigns in recent years and anticipates that the group will attempt to rebuild its infrastructure, potentially moving to other cloud providers or altering its C2 protocols. This underscores the need for organizations to continuously update their threat models and detection logic to account for cloud-based and API-driven C2 techniques.
Enterprises—especially in telecommunications and government—should reassess policies for cloud service access, implement deep monitoring of outbound traffic, and apply strict controls to service accounts and API usage. Security teams should routinely hunt for unusual system services, scrutinize SSH activity for lateral movement, and detect unauthorized VPN tunnels such as rogue SoftEther deployments. Investing in modern detection capabilities that recognize patterns like Google Sheets used as C2 is becoming critical to reducing espionage risk and protecting high-value data.
