Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Google Halts Major Cyber Espionage Campaign Targeting 53 Entities

Google Halts Major Cyber Espionage Campaign Targeting 53 Entities

Posted on February 25, 2026 By CWS

On Wednesday, Google announced a successful collaboration with industry partners to dismantle the infrastructure of a suspected China-linked cyber espionage group known as UNC2814. This entity has been implicated in breaching at least 53 organizations across 42 nations.

Background of UNC2814 Operations

The cyber group, UNC2814, has a notorious history of targeting governmental and telecommunication sectors globally, particularly across Africa, Asia, and the Americas. According to a joint report by Google’s Threat Intelligence Group and Mandiant, this group employs sophisticated methods to blend malicious traffic with legitimate communications using software-as-a-service (SaaS) applications as command-and-control (C2) infrastructure.

Since 2017, UNC2814 has been observed using API calls to mask their operations, a tactic that significantly complicates detection by cybersecurity defenses. The core of their operation revolves around a backdoor known as GRIDTIDE, which exploits the Google Sheets API to facilitate communication and data transfer under the guise of normal operations.

Technical Insights into GRIDTIDE

GRIDTIDE is a C-based malware designed to perform tasks such as file upload and download, as well as executing arbitrary shell commands. The initial access method of UNC2814 remains under investigation, but they are known to exploit web servers and edge systems to infiltrate networks.

Once inside a network, the group uses service accounts to move laterally, employing SSH for access and living-off-the-land binaries to maintain persistence and escalate privileges. A notable technique involves creating a service for the malware on Linux systems to ensure continuous operation.

Counteractions by Google

In response to the threat, Google terminated all Google Cloud Projects under the control of UNC2814 and disabled their infrastructure. Access to accounts and Google Sheets API calls used for C2 purposes was also cut off. Google described the campaign as one of the most significant and impactful they have encountered in recent years.

The cessation of UNC2814’s activities is a critical step in protecting the telecommunications and government sectors, which remain vulnerable to such sophisticated cyber threats. Google’s actions demonstrate the importance of rapid response and collaboration in mitigating the risks posed by state-sponsored cyber espionage.

The broader implications of this event highlight ongoing vulnerabilities at network edges, often exploited by threat actors due to insufficient malware detection capabilities and direct network access. The persistent nature of UNC2814’s efforts underscores the need for continuous vigilance and advanced security measures to protect against similar threats in the future.

The Hacker News Tags:C2 infrastructure, China-nexus, cyber espionage, cyber threats, Cybersecurity, Google, Google Sheets API, GridTide, Malware, Mandiant, network security, SaaS, SoftEther VPN, telecommunications security, UNC2814

Post navigation

Previous Post: 2025 Sees Surge in Cybersecurity M&A Activity
Next Post: UK Imposes $20M Fine on Reddit for Child Data Breaches

Related Posts

DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide The Hacker News
Enhance SOC Efficiency with Three Key Process Improvements Enhance SOC Efficiency with Three Key Process Improvements The Hacker News
React2Shell Exploitation Escalates into Large-Scale Global Attacks, Forcing Emergency Mitigation React2Shell Exploitation Escalates into Large-Scale Global Attacks, Forcing Emergency Mitigation The Hacker News
Cisco Fixes Critical Flaws in Identity and Webex Services Cisco Fixes Critical Flaws in Identity and Webex Services The Hacker News
RubyGems Halts New Accounts Amid Malicious Package Surge RubyGems Halts New Accounts Amid Malicious Package Surge The Hacker News
Squid Proxy Vulnerability ‘Squidbleed’ Exposes HTTP Requests Squid Proxy Vulnerability ‘Squidbleed’ Exposes HTTP Requests The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • KittySploit: AI-Driven PenTesting with Over 1150 Modules
  • Cybersecurity Update: Linux Flaws, Ubiquiti Issues, Accenture Breach
  • Apple Accuses OpenAI of Trade Secret Misappropriation
  • Espionage Campaigns Target Pakistani Police Portals
  • Compromised jscrambler npm Package Drops Infostealer

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • KittySploit: AI-Driven PenTesting with Over 1150 Modules
  • Cybersecurity Update: Linux Flaws, Ubiquiti Issues, Accenture Breach
  • Apple Accuses OpenAI of Trade Secret Misappropriation
  • Espionage Campaigns Target Pakistani Police Portals
  • Compromised jscrambler npm Package Drops Infostealer

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark