Online search engine giant Google, in a major successful move, has gone after a global espionage network which has pestered governments and telecom services in over 40 countries.
Google’s Threat Intelligence Group (GTIG), partnering with Mandiant (a subsidiary of Google Cloud and a premier cybersecurity firm specialising in threat intelligence, incident response, and managed defence) and others, ended up exposing Chinese state-backed organisation UNC2814’s spy operations. The group has now been classified as an Advanced Persistent Threat (APT).
In the most recent campaign, the organisation used GridTide, a backdoor malware that had never been seen before and used the Google Sheets API for C2 infrastructure. The backdoor blends with regular company traffic and causes no concerns because it sends HTTPS queries to authentic Google infrastructure rather than connecting to a distant server to obtain commands and steal data.
Every command is kept in a spreadsheet cell within an attacker-owned document. The malware periodically examines, decodes, and executes the encoded instructions that the operators inject into designated rows or cells.
Exfiltrated data may occasionally be written back into the sheet. GTIG stated that it did not see any examples of data exfiltration. With reports of its activity dating back to 2017 or potentially earlier, UNC2814 is a somewhat well-known threat actor.
Google terminated all of the attackers’ authority over Google Cloud Projects as part of the disruption operations, cutting off their ongoing access to GridTide-compromised environments. They restricted access to the Google Sheets API requests, disabled attacker accounts, and located and stopped all known UNC2814 infrastructure. Lastly, it published a list of IoCs connected to the UNC2814 infrastructure that has been operational since at least 2023.
The campaign started in 2023 and affected at least 53 organisations in 42 countries. Google suspects that UNC2814 is present in at least 20 more countries. Most of Latin America, Eastern Europe, Russia, parts of Africa, and parts of South Asia seem to have been hit. Except for Portugal, Western Europe is mostly unscathed. The United States was not touched as well.
The activity is distinct from separate high-profile, telecommunications-focused Chinese hacking activity tracked as “Salt Typhoon,” Google told Reuters. That campaign, which the US government has linked to Beijing, targeted hundreds of American organisations, in addition to prominent political figures.
Chinese Embassy spokesperson Liu Pengyu, while reacting to the news, said, “Cybersecurity is a common challenge faced by all countries and should be addressed through dialogue and cooperation. China consistently opposes and combats hacking activities in accordance with the law, and at the same time firmly rejects attempts to use cybersecurity issues to smear or slander China.”