Chinese Espionage Group Leverages Google Sheets

The state-sponsored group UNC2814, also known as Gallium, has been active since at least 2012, primarily targeting telecommunications, government, and financial sectors. This group is believed to be linked to China and focuses on intelligence gathering that aligns with the strategic interests of the Chinese state. Their campaigns have been global, with a strong focus on Southeast Asia, Europe, and Africa. The recent campaign utilized a novel C-based backdoor dubbed GRIDTIDE. This malware uses the Google Sheets API for command-and-control (C2), allowing it to execute shell commands and upload or download files. By leveraging a legitimate and widely trusted service, the malicious traffic blends in with normal enterprise activity, evading standard network detection methods. This is a classic "living-off-the-land" (LOTL) technique, where attackers abuse native or trusted tools to avoid detection. The primary targets of this extensive operation were telecommunications providers and government organizations across Africa, Asia, and the Americas. The main objective appears to be surveillance and espionage, aiming to steal sensitive data like call detail records (CDRs) and personally identifiable information (PII) such as names, phone numbers, and national ID numbers. This access could enable the tracking and monitoring of individuals of interest. In a coordinated effort, Google's Threat Intelligence Group (GTIG) and Mandiant disrupted the campaign. This action involved terminating all attacker-controlled Google Cloud projects, disabling their infrastructure, and revoking API access. While this disruption is significant, security researchers expect that UNC2814 will attempt to rebuild its global footprint.