A group of hackers believed to be associated with the Chinese state has been implicated in a massive cyber espionage campaign, targeting telecom providers and government bodies across multiple continents for approximately ten years. Google has now intervened to dismantle this operation, severing the group’s ongoing access and providing threat intelligence to assist affected organizations in responding effectively.
Google’s Coordinated Response
The Google Threat Intelligence Group (GTIG), in collaboration with Mandiant, has taken decisive action against a global espionage campaign linked to a threat actor known as UNC2814, which is suspected of being connected to the People’s Republic of China (PRC). Since 2017, GTIG has been monitoring this group, and by February 18, 2026, they confirmed breaches affecting 53 victims across 42 countries, with further infections suspected in at least 20 more nations spanning Africa, Asia, and the Americas.
Unmasking the GRIDTIDE Backdoor
The campaign revolved around a previously undocumented backdoor referred to as GRIDTIDE. Unconventionally, GRIDTIDE utilized Google Sheets’ infrastructure as a communication conduit between attackers and compromised devices, disguising malicious activity as normal cloud operations and eluding typical network defenses.
Unlike the publicly known Salt Typhoon group, UNC2814 targets entirely different victims using unique strategies. Google Cloud analysts discovered GRIDTIDE following a Mandiant Threat Defense investigation that detected suspicious activity on a customer’s CentOS Linux server. This led to the identification of a binary named /var/tmp/xapt, which was crafted to mimic a standard system tool but was used to gain complete machine control.
UNC2814’s Methods and Impact
Though the initial access method remains unclear, UNC2814 is known for infiltrating systems via compromised web servers and edge network devices. Once inside, they employ legitimate system tools to move laterally, a technique known as “living off the land,” to avoid detection. Systems targeted include those containing sensitive personal data, aligning with PRC intelligence objectives.
To maintain persistence, UNC2814 embedded GRIDTIDE as a systemd service and used SoftEther VPN Bridge for encrypted communications. GRIDTIDE’s capabilities include executing shell commands and exfiltrating data, using encrypted Google Drive configurations for command-and-control access.
Mitigation and Future Precautions
Organizations are advised to monitor outbound HTTPS connections to Google Sheets API endpoints and check for unauthorized system services and VPN components on Linux servers. Applying GTIG’s YARA rules and cross-referencing internal logs with published Indicators of Compromise (IOCs) will help determine any residual exposure from this campaign.
Google’s intervention highlights the importance of proactive threat intelligence sharing and collaboration in combatting sophisticated cyber threats. The incident underscores the ongoing need for vigilance and robust cybersecurity measures to protect critical infrastructure worldwide.
