Built For & By Cyber Security Professionals
logo
mobile-logo
HomeCyber AttacksGoogle Disrupts UNC2814: Cloud‑Native Espionage Campaign Using Google Sheets
Cyber Attacks
Google Disrupts UNC2814: Cloud‑Native Espionage Campaign Using Google Sheets

Google Disrupts UNC2814: Cloud‑Native Espionage Campaign Using Google Sheets

Spread the word

Introduction

Google has announced the disruption of UNC2814, a China‑linked cyberespionage campaign that weaponized trusted cloud services. Active since 2017, UNC2814 represents one of the most far‑reaching cloud‑native malware operations, targeting telecoms and government organizations worldwide.

Who is UNC2814?

Tracked by Google’s Threat Intelligence Group (GTIG) and Mandiant, UNC2814 has compromised at least 53 organizations across 42 countries, with evidence suggesting activity in 20 more. While its tactics resemble those of Salt Typhoon, researchers confirmed no overlaps between the two threat actors.

Technical Deep Dive: GridTide Backdoor

At the center of the campaign is GridTide malware, a sophisticated backdoor enabling shell command execution, file uploads, and downloads.

  • Cloud‑native tactic: GridTide uniquely leverages Google Sheets as a command‑and‑control (C2) platform, disguising malicious traffic as legitimate SaaS API calls.
  • Stealth advantage: By blending into normal enterprise workflows, UNC2814 bypassed traditional detection methods.
  • Observed impact: GridTide was discovered on endpoints containing sensitive personal data — including voter IDs, national IDs, and phone numbers — highlighting its surveillance objectives.

Targeting Strategy

UNC2814’s focus on telecom cyberattacks is strategic. Historical PRC‑linked intrusions have stolen call data records, SMS messages, and lawful intercept systems, enabling surveillance of individuals of interest. This aligns with broader espionage goals of monitoring communications infrastructure.

 

Disruption Efforts

Google, Mandiant, and partners executed a comprehensive takedown:

  • Infrastructure removal: Sinkholed domains, disabled Google Cloud accounts, and terminated Google Sheets instances used for C2.
  • Victim support: Organizations were notified and assisted with incident response.
  • Threat intelligence: Google released indicators of compromise (IoCs) to help defenders detect GridTide and UNC2814 activity.

This disruption is expected to significantly delay UNC2814’s global expansion, though well‑resourced threat actors often rebuild.

Defensive Guidance

To defend against cloud‑native cyber threats, organizations should:

  • Monitor SaaS API traffic for anomalies.
  • Deploy behavioral analytics beyond signature‑based detection.
  • Integrate IoCs and threat intelligence feeds into security workflows.
  • Apply zero‑trust principles to cloud traffic.

UNC2814 / GridTide IoCs

File Artifacts

  • Malicious systemd service: xapt.service
  • Executable: xapt (often launched via nohup ./xapt)
  • Persistence mechanism: systemd service entries pointing to GridTide binary

Network Indicators

  • C2 Infrastructure: Google Sheets API endpoints abused for command‑and‑control
  • Traffic characteristics:
    • API calls disguised as legitimate SaaS activity
    • URL‑safe Base64 encoding used for obfuscation
    • Spreadsheet cells storing host metadata and command responses

Command Syntax

  • Structured four‑part commands:
    • Format: C-command_id-arg1-arg2
    • Responses logged in cell A1 of Google Sheets

Host Metadata Collection

  • Username
  • Operating system details
  • IP address
  • Other environment variables stored in spreadsheet cells

Defensive Guidance

  • Monitor SaaS API traffic for anomalies, especially Google Sheets usage outside normal workflows.
  • Search for persistence artifacts (xapt.service, unusual systemd entries).
  • Look for encoded traffic patterns (URL‑safe Base64 in API calls).
  • Leverage Google’s published YARA rules and IoCs for detection.

Conclusion

UNC2814’s GridTide campaign demonstrates how trusted cloud platforms can be weaponized for espionage. By turning Google Sheets into a covert C2 channel, the group blurred the line between benign and malicious traffic. The disruption is a major win for defenders, but it also signals a new frontier: cloud‑native cyberespionage. Security teams must treat SaaS traffic with the same scrutiny as external connections.

Follow Us On – X.comTelegram, LinkedIN, Discord Server,

 

For The Latest Updates, Vulnerability Insights, Security News, Cyberattack Scoops And Cybersecurity Best Practices Delivered Straight To Your Inbox – Subscribe To Our Newsletter

Tags
Related Articles

Logo White
Who We Are:

Roguevault News is an independent and authoritative voice in the cybersecurity world. For over a decade, we’ve built a reputation as a trusted source for balanced, timely, and in‑depth reporting.

Want Latest News in Your Inbox?

Subscribe Right Now.

    Built For & By Cyber Security Professionals | © 2026 Roguevault News