Operation Gridtide: Google vs. Chinese Spies
Hackers are now using trusted apps against us. Inside Operation Gridtide: See how China-linked APT UNC2814 bypassed firewalls by turning normal Google Sheets into a deadly Command & Control (C2) server, targeting 53 organizations globally. Click here to read more:
AI & RISKCYBER-SECURITY NEWS
Operation Gridtide: Google vs. Chinese Spies
Operation Gridtide: Google vs. Chinese Spies
🎬 The Setup: A Silent Attacker
Since 2017, a group called UNC2814 had been quietly operating in the shadows — a China-backed hacking crew targeting governments and telecom companies across the globe. Their signature move? Slow, stealthy, and undetected operations for years.
Their victims included:
Government agencies across South America, Asia, and Africa
Telecom companies (mobile networks, ISPs)
53 confirmed victims across 42 countries on 4 continents
🔍 The Entry Point: How Did They Get In?
Google's investigators still don't know the exact initial access method for this campaign, but historically this group exploited vulnerabilities in web servers and edge systems. Once inside, their playbook was straightforward:
Lateral Movement — Spreading deeper into the network via SSH
Privilege Escalation — Gaining root access
Camouflage — Naming their malicious file /var/tmp/xapt, mimicking Linux's legitimate apt tool so admins wouldn't notice
💡 The Masterstroke: Turning Google Sheets Into a Weapon
This is where it gets clever. UNC2814 built a custom backdoor called Gridtide, and it used Google Sheets as its command-and-control (C2) platform.
Here's how it worked:
Firewalls and antivirus tools don't block Google Sheets traffic — it's a trusted service
Attackers wrote commands directly into Sheets cells
Gridtide read those cells, executed the commands, and wrote results back
From the outside, it looked like completely normal Google traffic — nothing suspicious
This technique is called "Living off Trusted Sites" — hijacking legitimate platforms to hide malicious activity.
🕵️ The Discovery: Mandiant Caught Them
During a routine investigation into suspicious activity in a customer's environment, Mandiant (Google's security arm) found:
A mysterious binary /var/tmp/xapt spawning root shells
A nohup ./xapt command keeping the backdoor alive even after the session closed
SoftEther VPN Bridge deployed to tunnel traffic out — and infrastructure dating back to July 2018, meaning this operation ran undetected for nearly 8 years
🎯 The Motive: What Were They After?
No direct data theft was observed, but the compromised systems contained sensitive personal data:
Full names and phone numbers
Dates and places of birth
Voter IDs and National ID numbers
This pattern strongly points to surveillance of dissidents, activists, and government targets — consistent with China's historical espionage playbook.
⚔️ Google's Response: The Takedown
On February 18, 2026, Google struck back:
Terminated all UNC2814-controlled Google Cloud Projects
Revoked their Google Sheets API access, killing the C2 channel
Disabled all known accounts and infrastructure
Notified all 53 victims and began active support
🌐 The Bigger Picture
This campaign is separate from Salt Typhoon — the other Chinese group that hacked America's major telecoms starting back in 2019. Multiple Chinese APT groups are operating simultaneously across the globe, embedded in governments, telecoms, and energy grids.
Key Takeaway for Security Pros: Abusing legitimate cloud services like Google Sheets, OneDrive, or GitHub for C2 is a rapidly growing trend. Traditional firewall rules won't catch this — behavioral analysis, API traffic monitoring, and anomaly detection are the real defense.
