Google GTIG disrupted China-linked APT UNC2814 halting attacks on 53 orgs in 42 countries

Google and partners disrupted UNC2814, a suspected China-linked group that hacked 53 organizations across 42 countries.

Google, with industry partners, disrupted the infrastructure of UNC2814, a suspected China-linked cyber espionage group that breached at least 53 organizations in 42 countries. The group has been active since at least 2017, and was spotted targeting governments and global telecoms across Africa, Asia, and the Americas, making it a highly prolific and elusive threat. UNC2814 is likely linked to additional infections in more than 20 other nations.

“Last week, Google Threat Intelligence Group (GTIG), Mandiant, and partners took action to disrupt a global espionage campaign targeting telecommunications and government organizations in dozens of nations across four continents.” reads the GTIG’s report. “The threat actor, UNC2814, is a suspected People’s Republic of China (PRC)-nexus cyber espionage group that GTIG has tracked since 2017. “

UNC2814 used API calls to SaaS apps as command-and-control (C2) infrastructure, disguising malicious traffic as legitimate activity. Rather than exploiting product flaws, the group leveraged legitimate Google Sheets API functions through a novel backdoor called GRIDTIDE.

The group’s operations target different victims than other campaigns, such as “Salt Typhoon,” using unique techniques and TTPs.

Mandiant, using Google SecOps, detected suspicious activity on a CentOS server where the binary /var/tmp/xapt launched a root shell and ran id to confirm root access, showing the attacker had escalated privileges. The researchers reported that the payload mimicked a legacy Debian tool to avoid detection.

Post-compromise, the actor moved laterally via SSH, used living-off-the-land binaries for reconnaissance, and installed the GRIDTIDE backdoor for persistence via a systemd service. Attackers executed GRIDTIDE with nohup ./xapt to keep it running after session closure, and deployed SoftEther VPN Bridge to create an encrypted outbound connection.

UNC2814 targeted endpoints containing personally identifiable information (names, phone numbers, dates of birth, and national IDs) consistent with telecom-focused cyber espionage. While no direct exfiltration was observed, UNC2814 could leverage such access to monitor communications, including call records and SMS messages, for surveillance and intelligence-gathering purposes.

GRIDTIDE is a sophisticated C-based backdoor used by UNC2814 that can execute shell commands, upload and download files. The malware uses Google Sheets as a command-and-control (C2) channel, hiding malicious traffic within legitimate API requests. While it currently uses Google Sheets, other cloud-based spreadsheet platforms could be exploited in a similar way.

The backdoor requires a 16-byte cryptographic key on the host to decrypt its Google Drive configuration, which contains service account credentials, spreadsheet IDs, and private keys.

“When executed, GRIDTIDE sanitizes its Google Sheet. It does this by deleting the first 1000 rows, across columns A to Z in the spreadsheet, by using the Google Sheets API batchClear method. This prevents previous commands or file data stored in the Sheet from interfering with the threat actor’s current session.” continues the report. “Once the Sheet is prepared, the backdoor conducts host-based reconnaissance. It fingerprints the endpoint by collecting the victim’s username, endpoint name, OS details, local IP address, and environmental data such as the current working directory, language settings, and local time zone.”

Commands from the attacker follow a structured syntax, allowing execution of Bash commands, file uploads, and downloads, with status responses returned to cell A1. Data transfer occurs via cells A2 to An, and the malware uses URL-safe Base64 encoding to evade detection.

UNC2814 has leveraged GRIDTIDE since at least 2017 to target telecommunications and government organizations worldwide.

Google Threat Intelligence Group (GTIG) and its partners terminated all attacker-controlled Google Cloud Projects and accounts, disabled the UNC2814 infrastructure, and revoked access to Google Sheets API calls.

GTIG took coordinated action to disrupt UNC2814 and protect affected organizations. They terminated all attacker-controlled Cloud Projects, disabling GRIDTIDE backdoor access, and took down known UNC2814 infrastructure, including current and historical domains. Attacker accounts and Google Sheets access were revoked, and victim organizations were formally notified and supported. GTIG also refined detection signatures to block GRIDTIDE activity and released indicators of compromise (IOCs) used by UNC2814 since 2023, helping organizations worldwide identify and defend against this threat.

“The global scope of UNC2814’s activity, evidenced by confirmed or suspected operations in over 70 countries, underscores the serious threat facing telecommunications and government sectors, and the capacity for these intrusions to evade detection by defenders.” concludes the report. “Prolific intrusions of this scale are generally the result of years of focused effort and will not be easily re-established. We expect that UNC2814 will work hard to re-establish their global footprint.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, China)