Google’s Threat Intelligence Group (GTIG), Mandiant, and partners disrupted a global espionage campaign attributed to a suspected Chinese threat actor that used SaaS API calls to hide malicious traffic in attacks targeting telecom and government networks.

The campaign has been active since at least 2023 and has impacted 53 organizations in 42 countries, with suspected infections in at least 20 more countries.

The initial access vector is unknown, but the researchers note that the threat actor, which Google tracks internally as UNC2814, has previously gained access by exploiting flaws in web servers and edge systems.

Google says that in the recently disrupted campaign, the actor deployed a new C-based backdoor named ‘GRIDTIDE,’ which abuses the Google Sheets API for evasive command-and-control (C2) operations.

GRIDTIDE authenticates to a Google Service Account using a hardcoded private key, and upon launch, it sanitizes the spreadsheet by deleting rows 1-1000 and columns from A to Z.

It then performs host reconnaissance, collecting the username, hostname, OS details, local IP, locale, and timezone, and logging the data in cell V1.

The first cell in the spreadsheet, A1, is the command/status cell, which GRIDTIDE polls constantly to receive instructions.

If any exist, the malware overwrites them with a status string. If empty, the malware retries every second for 120 times, then switches to random 5-10-minute checks to reduce noise.

The commands supported by GRIDTIDE are:

• C – execute Base64-encoded bash commands, write output to the sheet
• U – upload: take data in A2:A<arg_2> and reconstruct/write file at encoded filepath <arg_1>
• D – download: read local file <arg_1> on endpoint, send contents in ~45 KB fragments into A2:An

The A2-An cells are used for writing the command output, exfiltrated files, and uploading tools.

Google reports that GRIDTIDE’s exchanges with the C2 rely on a URL-safe base64 encoding scheme that evades detection by web monitoring tools and blends with normal traffic.

In at least one case, Google confirmed that GRIDTIDE was deployed on a system that contained sensitive personally identifiable information (PII). However, the researchers did not directly observe data exfiltration.

Google, Mandiant, and partners took coordinated action to disrupt the campaign by terminating all Google Cloud projects controlled by UNC2814, disabling known infrastructure, revoking Google Sheets API access, and disabling all cloud projects used in C2 operations. Current and historical domains were sinkholed.

Organizations impacted by GRIDTIDE were notified directly, and support was offered to clean the infections.

Google has listed detection rules at the bottom of the report, as well as indicators of compromise (IoCs).

Even though the disruption to the campaign was comprehensive, Google expects UNC2814 to resume activity using new infrastructure in the near future.