Google Disrupts UNC2814 GRIDTIDE Campaign Targeting 53 Orgs

Google's Threat Intelligence Group (GTIG) disrupted a sustained cyberespionage campaign by suspected China-nexus threat actor UNC2814 that compromised 53 organizations across 42 countries. The group's signature capability: a novel backdoor called GRIDTIDE that hijacks Google Sheets as a covert command-and-control channel.

The campaign represents one of the more creative abuses of legitimate cloud services we've seen this year. By routing malicious traffic through Google's own infrastructure, UNC2814 made their C2 communications blend seamlessly with normal enterprise traffic.

How GRIDTIDE Works

GRIDTIDE is a C-based backdoor that converts Google Sheets into a real-time command interface. The malware polls a specific spreadsheet cell every second, waiting for operator instructions. When the attacker writes a command to cell A1, GRIDTIDE executes it and writes the results back to adjacent cells.

The system is surprisingly elegant:

• Cell A1: Command input and status responses
• Cells A2-An: Data exfiltration and file transfers
• Cell V1: Victim system fingerprinting data

At the start of each session, GRIDTIDE wipes the first 1,000 rows to erase traces of prior activity. It's operational security built into the malware itself.

The backdoor supports arbitrary shell command execution and file upload/download capabilities—everything an espionage operator needs for persistent access and data theft.

Who UNC2814 Targets

According to Google's disclosure, UNC2814 has operated since at least 2017 with a focus on telecommunications providers and government organizations. GTIG confirmed 53 intrusions across 42 nations and identified suspected targeting in at least 20 additional countries.

The geographic distribution spans Africa, Asia, and the Americas. Many victims remained compromised for years before detection, suggesting UNC2814 prioritizes long-term persistence over immediate impact.

Particularly concerning: the attackers specifically planted GRIDTIDE on endpoints containing personally identifiable information—full names, phone numbers, dates of birth, voter IDs, and national identification numbers. This data collection aligns with intelligence gathering rather than financial crime.

The Cloud Service Advantage

Abusing legitimate cloud platforms for C2 has become a preferred tactic for sophisticated threat actors. We've covered similar approaches, including APT37's abuse of Zoho WorkDrive and other groups leveraging OneDrive, Google Drive, and Dropbox.

The technique offers several advantages. Network defenders can't simply block traffic to Google—that would break too many business applications. The encrypted HTTPS connections make content inspection difficult. And cloud provider infrastructure handles the reliability and uptime that attackers would otherwise need to maintain themselves.

For security teams, this means traditional IOC-based blocking loses effectiveness. You can't blacklist Google's IP ranges. Detection must shift toward behavioral analysis: unusual spreadsheet access patterns, unexpected data volumes, anomalous user-agent strings.

How Google Responded

GTIG, Mandiant, and their partners took coordinated action to sever UNC2814's operational capabilities:

• Terminated all attacker-controlled Google Cloud projects
• Disabled known UNC2814 infrastructure
• Revoked access to compromised accounts and Google Sheets API calls
• Sinkholed current and historical domains used in the campaign
• Issued formal notifications to identified victims

This type of active disruption—Google taking down infrastructure hosted on its own platform—represents an increasingly common industry response to APT campaigns. Cloud providers have both the visibility and the authority to act when threat actors abuse their services.

Detection Guidance

Organizations concerned about GRIDTIDE should look for:

On Linux systems:

• Service entries at /etc/systemd/system/xapt.service
• Malware binaries spawned from /usr/sbin/xapt
• SoftEther VPN Bridge processes establishing encrypted outbound connections

Network indicators:

• Unusual Google Sheets API activity, particularly from servers rather than user workstations
• High-frequency polling patterns to Google domains
• Large data transfers to Sheets that don't align with normal business use

The disclosure didn't include specific file hashes or IP addresses, limiting automated detection options. Organizations with Google Workspace can audit Sheets API usage through admin console logs.

The Attribution Question

Google describes UNC2814 as "suspected China-nexus" based on targeting patterns, operational hours, and infrastructure overlaps with known Chinese threat actors. The group is also tracked as "Gallium" by other security vendors.

Attribution to nation-state programs always involves uncertainty. What's clear: this is a well-resourced, patient adversary with sophisticated capabilities and targets that align with state-level intelligence priorities.

For defenders, the attribution matters less than the TTPs. Whether this specific campaign was directed by Beijing or operated by criminals with overlapping interests, the defensive measures remain the same: monitor for cloud service abuse, implement behavioral detection, and assume persistent access until proven otherwise.

Telecommunications and government organizations in particular should review their exposure and consider proactive threat hunting for GRIDTIDE indicators.