Ethical Hacking News
Google has disrupted a highly sophisticated cyber espionage group tracked as UNC2814, which has been linked to 53 breaches across 42 countries. The group was using API calls and novel backdoors to communicate with SaaS apps as command-and-control infrastructure, disguising their malicious traffic as benign. Google has taken concrete measures to disrupt the group's operations, but this incident highlights the ongoing threat posed by Chinese nation-state groups to global organizations.
Google disrupted a highly sophisticated Chinese-nexus cyber espionage group tracked as UNC2814. The group was linked to at least 53 breaches across 42 countries, making it one of the most far-reaching campaigns encountered in recent years. UNC2814 used API calls and novel backdoors to communicate with SaaS apps as command-and-control infrastructure. Google took concrete measures to disrupt the group's operations, including terminating cloud projects and disabling known infrastructure. The incident highlights the growing sophistication of Chinese nation-state groups and the need for organizations to stay vigilant and proactive in protecting themselves against cyber threats.
Google, the world's most dominant search engine giant, has made headlines once again by taking down a highly sophisticated Chinese-nexus cyber espionage group. The group, tracked as UNC2814, has been linked to at least 53 breaches across 42 countries, making it one of the most far-reaching and impactful campaigns encountered in recent years.
In a report published on Wednesday, Google Threat Intelligence Group (GTIG) and Mandiant revealed that they worked with industry partners to disrupt the infrastructure of the suspected China-nexus group. The group has been using API calls to communicate with software-as-a-service (SaaS) apps as command-and-control (C2) infrastructure, disguising their malicious traffic as benign.
The central component of the hacking group's operations is a novel backdoor dubbed GRIDTIDE, which abuses Google Sheets API as a communication channel. The C-based malware supports file upload/download and the execution of arbitrary shell commands. GridTIDE is also known to leverage SoftEther VPN Bridge to establish an outbound encrypted connection to an external IP address.
The threat actor has been using a service account to move laterally within environments via SSH, while leveraging living-off-the-land (LotL) binaries for reconnaissance, privilege escalation, and setting up persistence. The malware was found in endpoints containing personally identifiable information (PII), which is consistent with cyber espionage activity focused on monitoring persons of interest.
Google has taken several measures to disrupt the group's operations, including terminating all Google Cloud Projects controlled by the attacker, disabling known infrastructure, cutting off access to attacker-controlled accounts and Google Sheets API calls, and issuing formal victim notifications to each of the targets.
The discovery highlights that Chinese nation-state groups are continuously making efforts to embed themselves into networks for long-term access. The network edge continues to take a brunt of internet-wide exploitation attempts, with threat actors frequently exploiting vulnerabilities and misconfigurations in such appliances as a common entry point into enterprise networks.
"This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas," Google Threat Intelligence Group (GTIG) and Mandiant said in their report. "The global scope of UNC2814's activity, evidenced by confirmed or suspected operations in over 70 countries, underscores the serious threat facing telecommunications and government sectors."
"Prolific intrusions of this scale are generally the result of years of focused effort and will not be easily re-established," added Google. "We expect that UNC2814 will work hard to re-establish its global footprint."
The incident also highlights the growing sophistication of Chinese nation-state groups, who continue to push boundaries in terms of their capabilities. The use of novel backdoors like GRIDTIDE and API calls as C2 infrastructure is a testament to their advanced capabilities.
In addition, the fact that threat actors are using softEther VPN for command-and-control purposes is an indication of how these malicious actors are taking advantage of vulnerabilities in networks.
The incident highlights the need for organizations to stay vigilant and proactive in protecting themselves against cyber threats. Given the scope and sophistication of this particular campaign, it's clear that even well-established organizations can be targeted by such groups.
Google has once again demonstrated its commitment to cybersecurity by working with industry partners to disrupt a highly sophisticated Chinese-nexus group. The fact that they have taken concrete measures to disrupt the infrastructure of the suspected China-nexus group is an indication that Google takes cyber threats seriously.
As the threat landscape continues to evolve, it's crucial for organizations to stay informed and take necessary precautions to protect themselves against emerging threats. In this case, UNC2814 serves as a prime example of how sophisticated Chinese nation-state groups can pose significant risks to organizations around the world.
Google has disrupted a highly sophisticated cyber espionage group tracked as UNC2814, which has been linked to 53 breaches across 42 countries. The group was using API calls and novel backdoors to communicate with SaaS apps as command-and-control infrastructure, disguising their malicious traffic as benign. Google has taken concrete measures to disrupt the group's operations, but this incident highlights the ongoing threat posed by Chinese nation-state groups to global organizations.
Related Information:
https://www.ethicalhackingnews.com/articles/Google-Disrupts-UNC2814-GRIDTIDE-Campaign-Unveiling-a-Sophisticated-Chinese-Nexus-Cyber-Espionage-Group-ehn.shtml
https://thehackernews.com/2026/02/google-disrupts-unc2814-gridtide.html
https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign
Published: Wed Feb 25 13:55:13 2026 by llama3.2 3B Q4_K_M
