Google Disrupts GRIDTIDE: China-Linked Cyber Espionage Campaign Hit 42 Countries

Summary

Google's Threat Intelligence Group (GTIG) and Mandiant have successfully disrupted a sophisticated global cyber espionage campaign attributed to UNC2814, a suspected Chinese state-sponsored threat actor tracked since 2017. The campaign, dubbed GRIDTIDE, targeted telecommunications providers and government organizations across 42 countries on four continents, with confirmed intrusions affecting 53 victims and suspected infections in at least 20 additional countries.

The attackers employed a novel backdoor called GRIDTIDE that abused legitimate Google Sheets API functionality for command-and-control communications, allowing malicious traffic to masquerade as benign cloud application activity. This technique represents a growing trend where threat actors exploit properly functioning cloud services rather than security vulnerabilities to maintain stealth. Google's disruption efforts included terminating all attacker-controlled Google Cloud Projects, disabling UNC2814 infrastructure, revoking API access used for C2 purposes, and releasing indicators of compromise (IOCs) dating back to 2023.

The investigation was accelerated by Mandiant Threat Defense's discovery of the GRIDTIDE backdoor during a customer engagement, where suspicious activity on a CentOS server revealed the attacker's reconnaissance techniques and privilege escalation to root access. Google emphasized that this campaign is distinct from the previously reported "Salt Typhoon" operations, with UNC2814 demonstrating different tactics, techniques, and procedures while targeting different victim profiles. While the initial access vector remains undetermined, UNC2814 has historically compromised organizations by exploiting web servers and edge systems.

• This campaign is separate from "Salt Typhoon" operations and was detected through Mandiant's continuous monitoring using Google Security Operations platform