Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2026/02/google-disrupts-unc2814-gridtide.html

ONE SENTENCE SUMMARY:

Google and partners disrupted UNC2814’s China-linked espionage campaign using Google Sheets C2 backdoor GRIDTIDE across governments and telecoms worldwide.

MAIN POINTS:

1. Google, Mandiant, and partners dismantled suspected China-nexus UNC2814 infrastructure.
2. Confirmed breaches impacted at least 53 organizations across 42 countries.
3. Additional suspected infections span more than 20 other nations.
4. Tracking since 2017 revealed SaaS API calls used as disguised command-and-control.
5. GRIDTIDE backdoor abuses Google Sheets API to blend C2 within legitimate traffic.
6. Malware supports file transfer and arbitrary shell command execution on compromised systems.
7. Initial access likely involves exploiting web servers and edge systems, still under investigation.
8. Lateral movement utilized service accounts and SSH within victim environments.
9. LotL binaries enabled reconnaissance, privilege escalation, and persistence via systemd service xapt.
10. SoftEther VPN Bridge established encrypted outbound connectivity, consistent with other Chinese groups’ tactics.

TAKEAWAYS:

1. SaaS platforms can be repurposed as stealthy C2 channels via legitimate APIs.
2. Edge appliances remain high-risk entry points due to exposure and weak detection coverage.
3. Persistence commonly leverages native services (e.g., systemd) to survive reboots and scrutiny.
4. Telecom and government sectors face sustained, global-scale espionage with high evasion capability.
5. Large disruptions may be temporary; defenders should expect rapid attacker reconstitution efforts.