A sprawling cyber-espionage operation attributed to a suspected Chinese state-linked threat actor has been disrupted, after maintaining covert access to telecommunications providers and government bodies worldwide for years.

The campaign, tracked internally by Google as UNC2814 (Gallium), abused legitimate SaaS infrastructure to blend malicious activity with normal network traffic, enabling long-term infiltration and covert command and control.

Who’s Impacted

The operation targeted a diverse set of organizations, with a confirmed global footprint:

The true scale of impact is likely larger, as ongoing analysis continues to identify additional affected networks and related malicious infrastructure.

How the Attack Worked

Research from Google’s Threat Intelligence Group (GTIG), Mandiant, and partners revealed the actor abused Google Sheets API calls to conduct command and control communication while evading traditional detection.

New Backdoor: GRIDTIDE

The malware deployed in this campaign — dubbed GRIDTIDE — operates through cloud document infrastructure rather than obvious network channels:

• Authentication Abuse: GRIDTIDE uses a hardcoded private key to authenticate with a Google Service Account.

• Reconnaissance: Upon execution, the malware collects system details (e.g., host name, OS, locale) and logs them inside a spreadsheet cell.

• Stealthy Command & Control: Commands are read from, and output is written back to, spreadsheet cells — a technique that effectively hides malicious activity within legitimate API traffic.

This approach helped the group blend in with normal cloud API requests, making it difficult for defenders to spot malicious flows.

Response & Mitigation

Google and partners took significant steps to disrupt the campaign:

• Terminated infrastructure tied to UNC2814.

• Revoked malicious API keys and revoked access to cloud resources used in command and control.

• Sinkholed domains associated with current and historical operations.

Affected organizations have been notified and provided with remediation support.

Key Takeaways

• Sophisticated Evasion: The actor’s use of legitimate APIs for command control illustrates evolving attacker tactics that blur the line between legitimate and malicious traffic.

• Global Reach: The campaign’s scope — spanning at least 42 countries — underscores the systemic threat to critical telecom and government infrastructure.

• Persistent Threats Remain: Even after disruption, researchers warn that UNC2814 may attempt to re-establish access with new infrastructure.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.