Ethical Hacking News
Google's Threat Intelligence Group (GTIG) has disrupted a sophisticated cyber espionage campaign led by UNC2814, leveraging a novel backdoor called GRIDTIDE to target telecommunications and government organizations globally. The operation highlights the importance of collaboration between tech giants and cybersecurity experts to combat advanced threats.
Google's Threat Intelligence Group (GTIG) disrupted a sophisticated cyber espionage campaign linked to UNC2814, a suspected People's Republic of China (PRC)-nexus group. UNC2814 was using the GRIDTIDE backdoor, a novel C-based tool disguised as legitimate Google Sheets API functionality. The GRIDTIDE backdoor executes arbitrary shell commands, uploads and downloads files, and hides malicious traffic within legitimate cloud API requests. GTIG took action to disrupt the campaign, terminating affected Google Cloud Projects, disabling known infrastructure, and releasing IOCs linked to UNC2814's activity since 2023. The disruption provides critical visibility and context for organizations to better defend against modern intrusions like GRIDTIDE.
The world of cyber espionage is a complex and ever-evolving landscape, where threat actors continually push the boundaries of what is possible. In recent weeks, Google's Threat Intelligence Group (GTIG) has been working tirelessly to disrupt a sophisticated campaign led by the suspected People's Republic of China (PRC)-nexus cyber espionage group, UNC2814. This group has been linked to numerous high-profile intrusions targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas.
According to GTIG, UNC2814 has been leveraging a novel backdoor called GRIDTIDE, which uses legitimate Google Sheets API functionality to disguise its malicious traffic. The backdoor, first discovered in 2023, is a highly sophisticated C-based tool that can execute arbitrary shell commands, upload files, and download files. It hides its malicious traffic within legitimate cloud API requests, making it difficult for standard network detection.
The GRIDTIDE backdoor uses a 16-byte cryptographic key to decrypt its Google Drive configurations using AES-128 in Cipher Block Chaining (CBC) mode. The malware also sanitizes its Google Sheet by deleting the first 1000 rows across columns A to Z, preventing previous commands or file data from interfering with the threat actor's current session.
When executed, GRIDTIDE conducts host-based reconnaissance, fingerprinting the endpoint by collecting user information, OS details, local IP address, and environmental data. This information is then exfiltrated and stored in cell V1 of the attacker-controlled spreadsheet.
The threat actor issues instructions using a four-part command syntax: ---. Commands originating from the threat actor are categorized as type C (Client), with U (Upload) and D (Download) commands used to transfer data between the endpoint and the spreadsheet.
GTIG's investigation revealed that UNC2814 has impacted 53 victims in 42 countries across four continents, with suspected infections in at least 20 more countries. The campaign is consistent with cyber espionage activity in telecommunications, which is primarily leveraged to identify, track, and monitor persons of interest.
To combat this threat, GTIG took action to disrupt the global espionage campaign targeting telecommunications and government organizations in dozens of nations across four continents. This disruption included terminating all Google Cloud Projects controlled by the attacker, disabling known UNC2814 infrastructure, and releasing a set of IOCs linked to the group's activity since 2023.
The release of these IOCs provides critical visibility and context for organizations to better defend against modern intrusions. It is essential for security professionals to stay informed about emerging threats like GRIDTIDE and take proactive measures to protect their organization's sensitive data.
In conclusion, the disruption of the GRIDTIDE global cyber espionage campaign marks a significant milestone in GTIG's efforts to combat advanced threat actors. This victory highlights the importance of collaboration between Google and its partners to combat complex threats and ensure the security of our digital landscape.
Related Information:
https://www.ethicalhackingnews.com/articles/Disrupting-the-GRIDTIDE-Global-Cyber-Espionage-Campaign-A-Threat-Actor-Takedown-ehn.shtml
Published: Wed Feb 25 09:00:34 2026 by llama3.2 3B Q4_K_M
