Google Disrupts Major Chinese Cyber Espionage Campaign Targeting Global Telecom and Government Sectors
Google’s Threat Intelligence Group (GTIG), alongside Mandiant and other partners, recently dismantled a large-scale cyber espionage operation linked to the Chinese hacker group UNC2814. Active since 2017 and suspected of operating under the People’s Republic of China (PRC), the group targeted 53 victims across 42 countries on four continents, focusing on telecom and government organizations.
The campaign relied on GRIDTIDE, a novel malware that exploited the Google Sheets API for command-and-control (C2) communications. By embedding malicious activity within legitimate API traffic, the malware evaded detection while exfiltrating sensitive data, including personally identifiable information (PII) such as names, phone numbers, and national ID numbers. GRIDTIDE provided persistent access to compromised systems, allowing attackers to maintain control and execute further operations.
In a coordinated response, GTIG and its partners terminated attacker-controlled Google Cloud Projects, disabled the Google Sheets API infrastructure used for C2, and blocked malicious traffic. The team also released Indicators of Compromise (IOCs), including malicious domains and IP addresses, to help organizations detect and mitigate similar threats.
The group’s primary objective appeared to be intelligence collection, with a focus on monitoring communications within targeted sectors. GRIDTIDE’s use of Google Sheets for C2 leveraging cryptographic keys to send commands, transfer files, and execute operations highlighted the growing sophistication of cyber espionage tactics.
While the disruption is expected to hinder UNC2814’s operations, experts caution that the group may attempt to reestablish access. The incident underscores the increasing complexity of defending against advanced persistent threats (APTs), particularly as attackers exploit legitimate cloud services to bypass traditional security measures.
Source: https://cyberpress.org/google-disrupts-chinese-hackers/
TelecomTV cybersecurity rating report: https://www.rankiteo.com/company/telecomtv
Google Research cybersecurity rating report: https://www.rankiteo.com/company/googleresearch
"id": "TELGOO1772110899",
"linkid": "telecomtv, googleresearch",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '53 victims',
'industry': ['Telecommunications', 'Government'],
'location': '42 countries across four continents',
'type': 'Telecom and Government Organizations'}],
'attack_vector': 'Malware (GRIDTIDE) exploiting Google Sheets API',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (names, phone numbers, national '
'ID numbers)',
'type_of_data_compromised': 'Personally identifiable '
'information (PII)'},
'description': 'Google’s Threat Intelligence Group (GTIG), alongside Mandiant '
'and other partners, recently dismantled a large-scale cyber '
'espionage operation linked to the Chinese hacker group '
'UNC2814. The group targeted 53 victims across 42 countries, '
'focusing on telecom and government organizations. The '
'campaign used GRIDTIDE malware, which exploited the Google '
'Sheets API for command-and-control communications to '
'exfiltrate sensitive data, including personally identifiable '
'information (PII).',
'impact': {'data_compromised': 'Personally identifiable information (PII) '
'such as names, phone numbers, and national ID '
'numbers',
'identity_theft_risk': 'High'},
'investigation_status': 'Disrupted',
'lessons_learned': 'The incident underscores the increasing complexity of '
'defending against advanced persistent threats (APTs), '
'particularly as attackers exploit legitimate cloud '
'services to bypass traditional security measures.',
'motivation': 'Intelligence collection',
'post_incident_analysis': {'corrective_actions': 'Termination of '
'attacker-controlled '
'infrastructure, release of '
'IOCs, and blocking of '
'malicious traffic',
'root_causes': 'Exploitation of legitimate Google '
'Sheets API for C2 communications, '
'persistent access via GRIDTIDE '
'malware'},
'references': [{'source': 'Google Threat Intelligence Group (GTIG)'}],
'response': {'containment_measures': 'Terminated attacker-controlled Google '
'Cloud Projects, disabled Google Sheets '
'API infrastructure used for C2, blocked '
'malicious traffic',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Released Indicators of Compromise '
'(IOCs) including malicious domains and '
'IP addresses',
'third_party_assistance': 'Mandiant and other partners'},
'threat_actor': 'UNC2814 (suspected Chinese state-sponsored group)',
'title': 'Google Disrupts Major Chinese Cyber Espionage Campaign Targeting '
'Global Telecom and Government Sectors',
'type': 'Cyber Espionage',
'vulnerability_exploited': 'Legitimate API traffic for command-and-control '
'(C2) communications'}