A suspected Chinese state-linked hacking group has been caught running one of the most far-reaching cyber espionage operations ever uncovered \u2014 silently breaching telecom providers and government bodies across four continents for nearly a decade. <\/p>\n
Google has now stepped in to dismantle that operation entirely, severing the group\u2019s persistent access and releasing threat intelligence to help affected organizations identify and respond.<\/p>\n
Google Threat Intelligence Group (GTIG) and Mandiant took coordinated action to disrupt a global espionage campaign tied to a threat actor tracked as UNC2814 \u2014 assessed to be linked to the People\u2019s Republic of China (PRC). <\/p>\n
GTIG has monitored this group since 2017. By February 18, 2026, the investigation confirmed 53 victims across 42 countries, with suspected infections in at least 20 more nations spanning Africa, Asia, and the Americas. <\/p>\n
That scope reflects nearly a decade of deliberate, focused effort targeting some of the world\u2019s most sensitive communication infrastructure.<\/p>\n
The campaign centered on a previously undocumented backdoor called GRIDTIDE. <\/p>\n
Rather than using dedicated command servers, GRIDTIDE routes communications through Google Sheets \u2014 treating spreadsheet cells as a live messaging channel between the attacker and compromised machines. <\/p>\n
This disguised malicious traffic as routine cloud activity, making it extremely difficult for standard network defenses to detect. <\/p>\n
UNC2814 has no known overlap with the publicly reported Salt Typhoon group; it targets entirely different victims using distinct methods, tools, and procedures.<\/p>\n
Google Cloud analysts identified GRIDTIDE<\/a> after a Mandiant Threat Defense investigation flagged suspicious behavior on a customer\u2019s CentOS Linux server. <\/p>\n A detection alert surfaced a binary named\u00a0 That discovery gave investigators the critical thread needed to unravel UNC2814\u2019s full operation. The binary name\u00a0 While the exact initial access vector has not been confirmed, UNC2814 has a history of breaking in by compromising internet-facing web servers<\/a> and edge network devices. <\/p>\n Once inside, the group relied on legitimate built-in system tools<\/a> to move laterally \u2014 a technique known as \u201cliving off the land\u201d \u2014 avoiding new software that could trigger security alerts. <\/p>\n Targeted systems included machines holding personally identifiable information such as names, phone numbers, national ID numbers, and voter registration records, all consistent with PRC intelligence-collection priorities.<\/p>\n After securing access, UNC2814 embedded GRIDTIDE by registering a systemd service at\u00a0 The malware ran via the\u00a0 As a secondary communication channel, the group deployed SoftEther VPN Bridge, opening an encrypted outbound tunnel to external infrastructure that metadata suggests has been active since July 2018.<\/p>\n GRIDTIDE is a C-based backdoor capable of executing shell commands, uploading files to compromised hosts, and exfiltrating data. <\/p>\n It uses a 16-byte AES-128 encryption key to unlock its Google Drive configuration, which holds the service account credentials and Spreadsheet ID needed for C2 access. <\/p>\n Once connected, it clears the spreadsheet\u2019s first 1,000 rows, fingerprints the victim machine \u2014 collecting hostname, OS version, local IP, and time zone \u2014 then stores that data in cell V1. <\/p>\n Commands arrive through cell A1, and results return through a defined cell range. All traffic is encoded in URL-safe Base64 to bypass web filters and network inspection tools.<\/p>\n Organizations should monitor outbound HTTPS connections to Google Sheets API endpoints \u2014 especially requests involving\u00a0 Security teams should also check for systemd services in unexpected directories, binaries running from\u00a0 Applying GTIG\u2019s published YARA rule for GRIDTIDE and cross-referencing the released IOC list with internal logs will help confirm whether any residual exposure from this campaign remains.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Google Disrupts Chinese Hackers Infrastructre which Breached 53 Telecom and Government Entities<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\/var\/tmp\/xapt<\/code>\u00a0\u2014 crafted to resemble a common system tool \u2014 that had launched a shell with root-level privileges and was running commands to confirm complete machine control. <\/p>\nxapt<\/code>\u00a0was deliberately chosen to impersonate the legacy package management utility found in Debian-based Linux systems.<\/p>\n![\"GRIDTIDE](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiktvks3w4OL5jJWHtWWsLUW5DIzFiTEWPaYlKmle5NVJpaTWuoJkAOtVuD59h2Cs8KKFg3MQ9vSyT48F6oOZiFczWpNZFnCdDsHzhW7fz5-ZAnqI2yVL4BkQQgsnrAwLpoGNLUnRfJdhK-tsuv_cYw8nP4Cjz3xqxh2T7MwCYe4v5yoV0awhf7Kik8eOA\/s16000\/GRIDTIDE%2520infection%2520lifecycle%2520%28Source%2520-%2520Google%2520Cloud%29.webp?ssl=1\")
GRIDTIDE\u2019s Persistence and Command-and-Control<\/strong><\/h2>\n
\/etc\/systemd\/system\/xapt.service<\/code>. <\/p>\nnohup<\/code>\u00a0command, ensuring it kept running well after the attacker\u2019s session ended. <\/p>\n![\"GRIDTIDE](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjCL3Hx5JmPxuDqV62lHF6BRjCboqYYAeclfyYah-wo7y2-JwxVEBvxKTm2WZB-cckfXTNwVz0xdZVQaIQkhh9Y37WtGoIm6GFjTvYky_hX4lZUhF55EsytvuG1WLIFC6Py_lwkYsn5T6htqCvCQ4_hzmxypJ4hTwgqUBMccPMgaKHIpy4gUXrD5pBniV4\/s16000\/GRIDTIDE%2520execution%2520lifecycle%2520%28Source%2520-%2520Google%2520Cloud%29.webp?ssl=1\")
batchClear<\/code>,\u00a0batchUpdate<\/code>, and\u00a0valueRenderOption=FORMULA<\/code>\u00a0\u2014 from non-browser processes. <\/p>\n\/var\/tmp\/<\/code>, and SoftEther VPN components on Linux servers<\/a>. <\/p>\n