Google Disrupts Major Chinese State-Linked Cyber Espionage Campaign Targeting Global Telecoms and Governments
Google’s Threat Intelligence Group (GTIG), in collaboration with Mandiant and industry partners, has dismantled a large-scale cyber espionage operation attributed to UNC2814, a suspected People’s Republic of China (PRC)-linked threat group active since at least 2017. The campaign breached 53 telecommunications and government entities across 42 countries, with suspected infections in 20 additional nations, spanning Africa, Asia, and the Americas.
Key Tactics and Tools
UNC2814 deployed a new C-based backdoor, GRIDTIDE, which leveraged Google Sheets as a command-and-control (C2) channel to evade detection. Unlike traditional malware, GRIDTIDE abused legitimate Google Sheets API calls, blending malicious traffic with routine cloud activity. The backdoor could execute shell commands, exfiltrate files, and hide data exchanges within seemingly normal spreadsheet interactions.
The malware relied on a 16-byte cryptographic key stored on compromised hosts to decrypt Google Drive configurations, including service accounts and private keys. It polled specific spreadsheet cells for commands, returning results in small chunks to avoid triggering security alerts.
Initial access often involved exploiting internet-facing systems, such as vulnerable web servers or edge devices. Attackers used SSH and service accounts for lateral movement, deployed SoftEther VPN Bridge for encrypted outbound traffic, and targeted systems containing personally identifiable information (PII), including names, phone numbers, birth details, and national ID numbers.
Disruption and Impact
Google and its partners executed a coordinated takedown of UNC2814’s infrastructure, terminating attacker-controlled Google Cloud projects, sinkholing domains, and revoking access to compromised accounts. Detection signatures tied to the group’s operations since 2023 were released to aid defenders in identifying and removing the threat.
While 53 confirmed victims were identified, the campaign’s scope suggests a decade-long effort to surveil strategic targets, including dissidents, activists, and government entities. Historically, similar PRC-linked operations have accessed call detail records, SMS messages, and lawful intercept systems for intelligence gathering.
Despite the disruption, GTIG warns that UNC2814 is likely to rebuild its infrastructure using new tools and cloud resources. Affected organizations have received direct notifications and support.
Source: https://gbhackers.com/chinese-hacker-network/
Government of Kenya cybersecurity rating report: https://www.rankiteo.com/company/gok-government-of-kenya
"id": "GOK1772087108",
"linkid": "gok-government-of-kenya",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': ['Telecommunications', 'Government'],
'location': ['Africa', 'Asia', 'Americas'],
'type': ['Telecommunications', 'Government']}],
'attack_vector': ['Exploiting internet-facing systems',
'Vulnerable web servers',
'Edge devices'],
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': ['Names',
'Phone numbers',
'Birth details',
'National ID numbers'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally identifiable '
'information (PII)',
'Call detail records',
'SMS messages',
'Lawful intercept systems']},
'description': 'Google’s Threat Intelligence Group (GTIG), in collaboration '
'with Mandiant and industry partners, has dismantled a '
'large-scale cyber espionage operation attributed to UNC2814, '
'a suspected People’s Republic of China (PRC)-linked threat '
'group active since at least 2017. The campaign breached 53 '
'telecommunications and government entities across 42 '
'countries, with suspected infections in 20 additional '
'nations, spanning Africa, Asia, and the Americas.',
'impact': {'data_compromised': ['Personally identifiable information (PII)',
'Names',
'Phone numbers',
'Birth details',
'National ID numbers',
'Call detail records',
'SMS messages',
'Lawful intercept systems'],
'identity_theft_risk': 'High',
'systems_affected': ['Telecommunications systems',
'Government systems']},
'initial_access_broker': {'backdoors_established': 'GRIDTIDE backdoor',
'high_value_targets': ['Telecommunications entities',
'Government entities']},
'investigation_status': 'Disrupted',
'motivation': 'Intelligence gathering, surveillance of strategic targets '
'(dissidents, activists, government entities)',
'post_incident_analysis': {'corrective_actions': ['Takedown of attacker '
'infrastructure',
'Release of detection '
'signatures',
'Direct support to affected '
'organizations'],
'root_causes': ['Exploitation of internet-facing '
'systems',
'Use of legitimate cloud services '
'(Google Sheets) for C2 evasion']},
'references': [{'source': 'Google Threat Intelligence Group (GTIG)'},
{'source': 'Mandiant'}],
'response': {'containment_measures': ['Termination of attacker-controlled '
'Google Cloud projects',
'Sinkholing domains',
'Revoking access to compromised '
'accounts'],
'remediation_measures': ['Release of detection signatures',
'Direct notifications and support to '
'affected organizations'],
'third_party_assistance': 'Mandiant, industry partners'},
'threat_actor': 'UNC2814 (suspected PRC-linked)',
'title': 'Google Disrupts Major Chinese State-Linked Cyber Espionage Campaign '
'Targeting Global Telecoms and Governments',
'type': 'Cyber Espionage'}