Google's Threat Intelligence Group disrupted infrastructure belonging to UNC2814, a suspected China-nexus cyber espionage group that breached at least 53 organisations across 42 countries on four continents. The targets were primarily telecom operators and government networks — consistent with signals intelligence collection.
The group deployed GRIDTIDE, a C-based backdoor that abuses the Google Sheets API as a command-and-control channel. The mechanism uses a cell-based polling approach: A1 for attacker commands and status responses, A2–An for bidirectional data transfer. This allowed C2 traffic to blend with legitimate Google API usage, evading network detection.
Google terminated all attacker-controlled Cloud Projects, disabled known infrastructure, and cut off API access. The campaign highlights a growing pattern of nation-state actors repurposing trusted cloud services for covert operations — a trend that demands network monitoring beyond traditional C2 indicators.