Google Disrupts GRIDTIDE: China-Linked Cyber Espionage Campaign Hit 42 Countries

Summary

Google's Threat Intelligence Group (GTIG) and Mandiant have disrupted a sophisticated global cyber espionage campaign dubbed GRIDTIDE, attributed to UNC2814, a suspected Chinese state-sponsored threat actor active since 2017. The operation targeted telecommunications providers and government organizations across 42 countries on four continents, with confirmed intrusions affecting 53 victims and suspected infections in at least 20 additional nations.

The attackers employed a novel backdoor called GRIDTIDE that abused legitimate Google Sheets API functionality to disguise command-and-control traffic as benign communications with SaaS applications. This technique exploited normal cloud service behavior rather than security vulnerabilities, making detection particularly challenging. The disruption effort included terminating all Google Cloud projects controlled by the attackers, disabling UNC2814 infrastructure, revoking attacker accounts, and releasing indicators of compromise dating back to 2023.

GTIG emphasized that UNC2814 operates independently from the widely-reported "Salt Typhoon" espionage group, utilizing distinct tactics and targeting different victim profiles. The initial detection came through Mandiant's use of Google Security Operations, which flagged suspicious activity on a compromised CentOS server showing privilege escalation to root access. While the specific initial access vector remains undetermined, UNC2814 has historically gained entry by exploiting web servers and edge systems.

• The disruption involved terminating attacker-controlled Google Cloud projects, disabling infrastructure, and releasing indicators of compromise to help organizations defend against the threat