Google’s Threat Intelligence Group (GTIG), in collaboration with Mandiant and other industry partners, has successfully disrupted a large-scale cyber espionage campaign that targeted government institutions and telecommunications providers across the globe.
The campaign has been attributed to UNC2814, a highly persistent threat group that has been active since at least 2017. Security researchers believe the group operates in alignment with strategic intelligence-gathering objectives linked to the People’s Republic of China (PRC).
According to Google’s findings, the operation impacted 53 confirmed victims across 42 countries, spanning four continents, making it one of the more extensive espionage campaigns observed in recent years. The primary focus of the attacks was on telecom infrastructure and government networks — sectors that provide access to sensitive communications and strategic data.
Abuse of Google Sheets for Stealthy Command-and-Control
A key element of this campaign was the deployment of a previously undocumented malware family known as GRIDTIDE. Unlike conventional malware that relies on suspicious network traffic, GRIDTIDE abused the Google Sheets API as a command-and-control (C2) channel.
By embedding malicious commands within legitimate Google Sheets activity, the attackers were able to blend into normal cloud traffic, significantly reducing the chances of detection by traditional security tools. Once installed, the malware enabled persistent access to compromised systems and facilitated the exfiltration of sensitive information.
Data targeted by the attackers included personally identifiable information (PII) such as names, phone numbers, and national identification details. GRIDTIDE also supported file transfer and remote command execution, allowing attackers to maintain long-term control over infected environments.
Coordinated Disruption and Infrastructure Takedown
In response, GTIG and its partners executed a coordinated disruption strategy aimed at completely dismantling the attackers’ operational infrastructure. Google terminated all attacker-controlled Google Cloud projects, effectively cutting off access to the resources used in the campaign.
Additionally, Google disabled the malicious Google Sheets used for C2 communication and blocked related traffic patterns. The security team also released Indicators of Compromise (IOCs), including malicious domains and IP addresses, to help organizations identify and defend against potential intrusions linked to UNC2814.
Victim organizations were notified where possible, and detection signatures were updated to prevent reinfection or similar abuse in the future.
A Reminder of Evolving Cloud-Based Threats
Security experts note that this campaign highlights a growing trend among advanced threat actors: the misuse of trusted cloud services to evade detection. By leveraging legitimate platforms such as Google Sheets, attackers can bypass many traditional perimeter defenses.
While the disruption has significantly impacted UNC2814’s current operations, researchers caution that advanced persistent threat groups often adapt quickly and attempt to re-establish access using new techniques.
Google emphasized that continued collaboration between technology providers, cybersecurity firms, and government agencies remains critical to countering global cyber espionage activities.