Google has announced the successful disruption of a sophisticated global cyber espionage campaign orchestrated by a China-linked threat actor known as UNC2814. The operation, which impacted 53 organizations across 42 countries, primarily targeted international governments and telecommunications companies in Africa, Asia, and the Americas. The campaign leveraged a novel backdoor, dubbed GRIDTIDE, which ingeniously used Google Sheets API for command-and-control (C2) communications, allowing the attackers to disguise malicious traffic as legitimate activity.

Key Takeaways

• A China-linked cyber espionage group, UNC2814, has been disrupted by Google and its partners.

• The campaign, active since at least 2017, affected 53 organizations in 42 countries.

• A novel backdoor named GRIDTIDE used Google Sheets API for covert command-and-control.

• Targets included government and telecommunications organizations, with a focus on PII.

• Google has terminated attacker infrastructure and accounts, and notified victims.

The GRIDTIDE Backdoor and Its Tactics

The GRIDTIDE backdoor is a C-based malware capable of executing shell commands, uploading, and downloading files. Its unique approach involved using Google Sheets as a high-availability C2 platform. By embedding malicious commands and data within legitimate API requests, UNC2814 aimed to evade standard network detection mechanisms. The malware employed a cell-based polling mechanism, assigning specific roles to spreadsheet cells for bidirectional communication, including command reception, status reporting, and data transfer.

Initial Access and Post-Compromise Activities

While the exact initial access vector remains under investigation, UNC2814 has a history of exploiting and compromising web servers and edge systems. Once inside a network, the group utilized service accounts for lateral movement via SSH and employed living-off-the-land (LotL) binaries for reconnaissance, privilege escalation, and establishing persistence for the GRIDTIDE backdoor. Persistence was achieved by creating a systemd service for the malware. Additionally, the deployment of SoftEther VPN Bridge was observed to establish outbound encrypted connections, a technique linked to multiple Chinese hacking groups.

Targeting and Data Exfiltration

Evidence suggests that GRIDTIDE was deployed on endpoints containing personally identifiable information (PII), such as names, phone numbers, and national ID numbers. This targeting aligns with cyber espionage activities focused on monitoring individuals of interest. Although Google did not directly observe data exfiltration during this specific campaign, such access could enable the monitoring of communications, including call data records and SMS messages, for surveillance and intelligence gathering.

Disruption and Future Outlook

In response to the campaign, Google Threat Intelligence Group (GTIG) and its partners took decisive action. This included terminating all Google Cloud Projects controlled by the attacker, disabling known UNC2814 infrastructure, and revoking access to attacker-controlled accounts and the Google Sheets API. Formal victim notifications have been issued, and affected organizations are being supported. While this disruption is a significant blow to UNC2814's operations, experts anticipate the group will attempt to re-establish its global footprint, highlighting the persistent nature of state-sponsored cyber espionage.

By staying vigilant and adopting safe browsing practices, users can significantly reduce their exposure to these evolving threats. As cyber threats continue to evolve, your security strategy needs to evolve with them. BetterWorld Technology delivers adaptive cybersecurity solutions designed to keep your business secure while supporting innovation. Connect with us today to schedule a personalized consultation.

Sources

• Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries, The Hacker News.

• Disrupting the GRIDTIDE Global Cyber Espionage Campaign, Google Cloud.

• Google Shuts Down Chinese Hackers’ Infrastructure Behind Telecom and Government Breach, Cyber Press.

• Google GTIG disrupted China-linked APT UNC2814 halting attacks on 53 orgs in 42 countries, Security Affairs.