Google Disrupts UNC2814 GRIDTIDE Malware Abusing Google Sheets API in Global Telecom and Government Espionage Campaign

Google, in collaboration with Mandiant and industry partners, has disrupted the infrastructure of a suspected China-nexus cyber espionage group tracked as UNC2814 following confirmed breaches of at least 53 organizations across 42 countries. The campaign, which has been active since at least 2017, primarily targeted global telecommunications providers and government organizations. The attackers leveraged a novel backdoor, GRIDTIDE, which abused the Google Sheets API as a command-and-control (C2) channel, enabling them to blend malicious activity with legitimate cloud traffic. While the campaign focused on accessing highly sensitive personally identifiable information (PII), call logs, text message traffic, and communications metadata, Google did not observe confirmed data exfiltration during the campaign. The disruption, publicly disclosed in late February 2026, involved terminating attacker-controlled Google Cloud Projects, disabling known accounts, and sinkholing malicious domains. Google has issued formal victim notifications and is supporting organizations with verified compromises. The incident underscores the increasing sophistication of state-linked threat actors in abusing legitimate SaaS platforms and highlights the need for enhanced monitoring of cloud service usage, especially in sectors handling sensitive communications data (The Hacker News, SecurityBrief Australia, WIU Cybersecurity News).

The UNC2814 campaign represents a highly sophisticated, multi-year cyber espionage operation targeting telecommunications and government sectors worldwide. The group’s hallmark was the deployment of the GRIDTIDE backdoor, a C-based malware that exploited the Google Sheets API for C2 communications. This approach allowed attackers to disguise malicious traffic as ordinary SaaS activity, complicating detection efforts.

GRIDTIDE’s C2 mechanism utilized a cell-based polling system within a Google Spreadsheet. Specific spreadsheet cells were assigned roles: cell A1 was used to poll for attacker commands and to overwrite with status responses, cells A2-An transferred command output and files, and cell V1 stored system data from the victim endpoint. This method enabled bidirectional communication between the compromised endpoint and the attacker, supporting file upload/download and arbitrary shell command execution (The Hacker News).

The attackers gained initial access primarily by exploiting public-facing web servers and edge systems, a tactic consistent with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190). Once inside, they established persistence by creating a systemd service for the malware at /etc/systemd/system/xapt.service, spawning new instances from /usr/sbin/xapt. Lateral movement was achieved using service accounts and SSH, while living-off-the-land (LotL) binaries facilitated reconnaissance, privilege escalation, and persistence. The deployment of SoftEther VPN Bridge enabled encrypted outbound connections, further obfuscating attacker activity and supporting stealthy lateral movement (The Hacker News).

The campaign’s targeting was highly selective, focusing on endpoints containing PII and communications metadata. In several confirmed compromises, attackers sought national and voter ID numbers, call logs, and text message traffic. While there is evidence that GRIDTIDE was deployed on systems with sensitive data, Google did not observe confirmed data exfiltration during the campaign (SecurityBrief Australia).

Importantly, the abuse of the Google Sheets API did not stem from a vulnerability in Google Sheets itself. Instead, attackers leveraged legitimate API functionality, a trend increasingly observed among advanced persistent threat (APT) groups seeking to blend into permitted cloud service traffic. The architecture of GRIDTIDE is adaptable and could be repurposed to use other cloud-based spreadsheet tools, as many SaaS platforms offer APIs and automation features suitable for remote tasking and data exchange (SecurityBrief Australia).

Google’s response included terminating all attacker-controlled Google Cloud Projects, disabling known UNC2814 infrastructure, and cutting off access to attacker-controlled accounts and Google Sheets API calls. Sinkholing of malicious domains redirected traffic to defender-controlled systems, providing visibility into attempted connections and further disrupting the attackers’ operations. Formal victim notifications were issued to all confirmed targets, and Google continues to support organizations with verified compromises (The Hacker News, SecurityBrief Australia).

The UNC2814 campaign has been active since at least 2017, with the earliest known deployment of the GRIDTIDE backdoor traced to late 2025. The disruption of the campaign and public disclosure occurred in February 2026. The campaign affected at least 53 organizations in 42 countries, with suspected targeting in more than 20 additional nations. The primary sectors impacted were telecommunications providers and government organizations, particularly those handling sensitive communications data and PII (The Hacker News, SecurityBrief Australia, WIU Cybersecurity News).

UNC2814 demonstrated advanced operational security and adaptability throughout the campaign. The group’s use of the GRIDTIDE backdoor and legitimate SaaS APIs for C2 communications allowed them to evade traditional network detection mechanisms. By leveraging cloud productivity services such as Google Sheets, which are often permitted by default in enterprise environments, the attackers were able to blend malicious activity with normal business traffic.

The group’s tactics included exploiting public-facing applications for initial access, establishing persistence via systemd services, and using LotL binaries for privilege escalation and reconnaissance. Lateral movement was facilitated through service accounts and SSH, while SoftEther VPN Bridge provided encrypted outbound connections. The targeting of endpoints with sensitive PII and communications metadata suggests a focus on espionage and the tracking of individuals of interest.

Despite the sophistication of the campaign, Google and its partners were able to disrupt UNC2814’s infrastructure by terminating attacker-controlled cloud projects, disabling accounts, and sinkholing malicious domains. The disruption is considered a significant setback for the group, given the scale and duration of their operations. However, researchers caution that UNC2814 is likely to attempt to re-establish its global footprint, and organizations should remain vigilant for signs of compromise (The Hacker News, SecurityBrief Australia).

The following recommendations are prioritized by severity:

Critical: Organizations, especially in the telecommunications and government sectors, should immediately review outbound connections to cloud-based SaaS platforms such as Google Sheets and other spreadsheet services. Implement strict monitoring and alerting for unusual API usage patterns, particularly those involving data transfer or command execution.

High: Conduct comprehensive threat hunting for indicators of compromise (IoCs) associated with GRIDTIDE, including the presence of unauthorized systemd services (e.g., /etc/systemd/system/xapt.service), suspicious processes in /usr/sbin/, and anomalous use of SoftEther VPN Bridge. Review service account activity for signs of lateral movement via SSH.

High: Enforce least-privilege access controls for service accounts and restrict the use of cloud APIs to only those necessary for business operations. Regularly audit cloud project permissions and disable unused or suspicious accounts.

Medium: Enhance network segmentation to limit lateral movement opportunities and restrict outbound connections to only approved cloud services. Deploy network monitoring solutions capable of detecting living-off-the-land techniques and unusual SaaS traffic patterns.

Medium: Educate security teams on the risks of SaaS abuse and the importance of monitoring for legitimate service misuse, not just known malicious domains or IPs.

Low: Stay informed of new threat intelligence related to UNC2814 and similar groups, and update detection rules as new IoCs and TTPs (tactics, techniques, and procedures) are published by trusted sources.

There is no evidence that the Google Sheets platform itself is vulnerable; rather, attackers abused legitimate functionality. Organizations should focus on monitoring and controlling the use of SaaS APIs and cloud services within their environments (The Hacker News, SecurityBrief Australia).

https://thehackernews.com/2026/02/google-disrupts-unc2814-gridtide.html (Feb 25, 2026)

https://securitybrief.com.au/story/google-disrupts-china-linked-cyber-espionage-on-telecoms (Feb 26, 2026)

https://www.wiu.edu/cybersecuritycenter/cybernews.php (Feb 25, 2026)

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, monitor, and assess risks associated with external vendors and partners. Our platform enables continuous monitoring of cloud service usage, detection of anomalous API activity, and assessment of exposure to advanced persistent threats leveraging SaaS platforms for command-and-control. For questions or further information, contact us at ops@rescana.com.

• Active Exploitation Alert