On Wednesday, Google revealed it had successfully disrupted a significant cyberespionage operation linked to China. This campaign was primarily targeting telecommunications and government entities across the globe, showcasing a widespread and sophisticated approach.
Identifying the Cyber Threat
Identified by Google’s Threat Intelligence Group (GTIG) and Mandiant as UNC2814, this cyber threat has been active since at least 2017. It is considered one of the most extensive and impactful campaigns in recent years. The operation has reportedly targeted 53 organizations in 42 countries, spanning the Americas, Asia, and Africa, with suspicions of additional targets in 20 more nations.
Google explained that these cyber spies utilized API calls to communicate with SaaS applications, using these as command-and-control (C2) infrastructures to disguise malicious activities as legitimate traffic. This tactic avoids exploiting vulnerabilities, instead leveraging cloud-based services to mask nefarious actions.
Understanding the GridTide Backdoor
The campaign employed a new backdoor named GridTide, allowing for shell command execution and file transfers. Notably, GridTide uses Google Sheets not as a document, but as a high-availability C2 platform, facilitating the communication of data and commands.
Researchers found GridTide on endpoints containing personal data such as names, birthdates, and identification numbers, indicating a likely effort to monitor specific individuals. Although GTIG did not witness data exfiltration in this campaign, past Chinese espionage against telecoms has resulted in significant data theft, including call records and SMS messages.
Efforts to Disrupt UNC2814
In collaboration with Mandiant, GTIG took decisive steps to dismantle the cyberespionage infrastructure. This included the removal of cloud resources used by GridTide, sinkholing of domains, and disabling hacker accounts, including those on Google Cloud. Access to Google Sheets instances exploited by the malware was also terminated.
Victims of the campaign have been informed and supported in responding to the incidents. Google has provided indicators of compromise (IoCs) to aid organizations in detecting GridTide and related activities, aiming to significantly hinder UNC2814’s global expansion efforts.
While the operations of UNC2814 bear similarities to the Salt Typhoon group, Google has found no direct connections between these entities, marking this disruption as a crucial step in safeguarding international cybersecurity.
