- Google, Mandiant and partners disrupted UNC2814 spying campaign
- Group used Grid Tide backdoor leveraging the Google Sheets API for C2
- The operation affected 53 organizations in 42 countries from 2023; infrastructure and attacker accounts disabled
Google has managed to dismantle a global spy network that targeted government and telecommunications organizations in more than 40 countries around the world.
In a new research report, Google said its Threat Intelligence Group (GTIG), along with Mandiant and other partners, discovered a Chinese state-affiliated threat actor tracked as UNC2814 running a new espionage campaign.
In this most recent campaign, the group was deploying a never-before-seen backdoor malware called GridTide, which leveraged the Google Sheets API for C2 infrastructure. Instead of connecting to a remote server somewhere to receive instructions and exfiltrate data, the backdoor makes HTTPS requests to legitimize Google’s infrastructure, blending in with normal business traffic and therefore not raising any alarms.
Interrupting the attackers
All commands are stored in a spreadsheet cell of a document belonging to the attackers. Operators insert encoded instructions into specific rows or cells, and then the malware periodically checks, decodes, and executes them.
In some cases, the exfiltrated data can also be written back to the sheet; However, GTIG said it did not observe any cases of data exfiltration.
UNC2814 is a relatively well-known threat actor, with reports of its activity dating back to 2017 and possibly earlier.
The campaign began in 2023 and affected at least 53 organizations in 42 countries. Google suspects that UNC2814 is present in at least 20 other countries. Most of Latin America, Eastern Europe, Russia, parts of Africa and parts of South Asia appear to have been affected. With the exception of Portugal, Western Europe is largely unscathed. The United States was also not affected.
As part of the disruption efforts, Google terminated all Google Cloud projects controlled by the attackers, cutting off their persistent access to environments compromised by GridTide. They identified and disabled all known UNC2814 infrastructure, disabled attacker accounts, and revoked access to Google Sheets API calls. Finally, it launched a set of IoCs tied to the UNC2814 infrastructure active since at least 2023.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
