Google Disrupts Decade-Long Chinese Cyberespionage Campaign That Hijacked Google Sheets to Spy on 53 Telecoms and Governments Across 42 Countries

Overview

Google’s Threat Intelligence Group (GTIG) and its Mandiant incident response division have disclosed a sprawling cyberespionage campaign attributed to a suspected China-nexus threat actor designated UNC2814, as reported by The Hacker News. The group compromised at least 53 organizations across 42 countries — primarily telecommunications providers and government agencies — using a novel C-based backdoor called GRIDTIDE that disguised its command-and-control traffic by routing it through Google Sheets, a consumer spreadsheet application.

Google stated that it has terminated all attacker-controlled cloud resources, sinkholed known domains, and notified affected organizations, according to the company’s official blog post. The disclosure represents one of the largest documented state-sponsored cyber-espionage disruptions to date.

What We Know

Scope and Timeline

UNC2814 has been active since at least 2017, according to SecurityWeek. GTIG confirmed intrusions at 53 organizations spanning the Americas, Asia, and Africa, with an additional 20 or more suspected infections pushing the estimated reach beyond 70 countries. Google described the campaign’s scope as “likely the result of a decade of concentrated effort,” according to The Record.

VPN configuration metadata recovered during the investigation indicates that UNC2814 has leveraged specific infrastructure since at least July 2018, as reported by CSO Online.

How GRIDTIDE Works

The centerpiece of the campaign is GRIDTIDE, a C-based backdoor that abuses the Google Sheets API as its command-and-control channel. Rather than communicating with a traditional server, the malware treats individual spreadsheet cells as a messaging bus. According to The Hacker News, cell A1 is used for polling commands and returning status responses, cells A2 through An transfer data and command output, and cell V1 stores victim system metadata.

The malware polled its designated spreadsheet every second for new instructions and wrote status updates upon task completion. At the start of each session, GRIDTIDE wiped the first 1,000 rows of its control sheet to erase traces of prior activity, as reported by CSO Online. This design allowed the attackers to “disguise malicious traffic as benign” routine API calls to a legitimate cloud service, making detection significantly more difficult.

Google warned that “the actor could easily make use of other cloud-based spreadsheet platforms in the same manner,” according to The Record.

Attack Chain and Persistence

Mandiant analysts first detected the intrusion when they observed unusual activity on a CentOS server during a threat defense investigation. A binary named “xapt” — masquerading as the apt package manager — had escalated to root privileges, as reported by CSO Online.

Once inside a network, UNC2814 deployed GRIDTIDE as a persistent systemd service and used SoftEther VPN Bridge to establish encrypted outbound channels. The group also relied on service accounts for SSH-based lateral movement and employed living-off-the-land binaries for reconnaissance, according to CSO Online. The initial access method remains under investigation, though GTIG noted that UNC2814 has a history of exploiting web servers and edge systems.

Data at Risk

GRIDTIDE was deployed on endpoints containing personally identifiable information including full names, phone numbers, dates of birth, voter IDs, and national ID numbers, according to SecurityWeek. GTIG assessed this targeting pattern as consistent with telecommunications espionage aimed at “identifying, tracking, and monitoring persons of interest.”

Notably, Google stated that it did not directly observe data exfiltration during its disruption of the campaign, according to The Hacker News. However, given that some victims may have been compromised for years, the full extent of data loss remains unclear.

Google’s Disruption

Google’s response involved terminating all Google Cloud projects controlled by the attacker, disabling attacker accounts, revoking Google Sheets API access used for command-and-control, and sinkholing both current and historical domains associated with UNC2814. The company also notified affected organizations and published indicators of compromise including IP addresses, domains, and file hashes, as reported by SecurityWeek.

Andrew Costis of AttackIQ noted that the campaign “abuses legitimate Google Sheets API calls…while utilizing ‘living off the land’ techniques,” emphasizing that telecommunications access “can enable broad intelligence collection, help map relationships, and create opportunities for long-term monitoring,” according to CSO Online.

What We Don’t Know

Several significant questions remain unanswered. The initial access vector for UNC2814’s campaign has not been conclusively identified, though the group’s historical reliance on web server and edge device exploitation suggests a possible entry point. The full extent of data exfiltration — if any — across all 53 confirmed victims and additional suspected targets is also unknown.

Google confirmed that it found no overlap between UNC2814 and Salt Typhoon, the Chinese state-sponsored group whose intrusions into U.S. telecommunications providers drew Congressional scrutiny in 2025, describing them as distinct operations with different victims and methods, as reported by The Record. Whether the two groups share upstream tasking or intelligence priorities remains an open question.

Beijing has not publicly commented on Google’s findings. China has consistently denied conducting cyberespionage operations abroad.

Researchers at GTIG expect UNC2814 to “work hard to re-establish their global footprint” following the disruption, according to The Record. The technique of abusing legitimate cloud APIs for command-and-control is platform-agnostic, raising concerns that similar tactics could migrate to other SaaS applications.