A suspected Chinese state-linked hacking group has been caught running one of the most far-reaching cyber espionage operations ever uncovered — silently breaching telecom providers and government bodies across four continents for nearly a decade.
Google has now stepped in to dismantle that operation entirely, severing the group’s persistent access and releasing threat intelligence to help affected organizations identify and respond.
Google Threat Intelligence Group (GTIG) and Mandiant took coordinated action to disrupt a global espionage campaign tied to a threat actor tracked as UNC2814 — assessed to be linked to the People’s Republic of China (PRC).
GTIG has monitored this group since 2017. By February 18, 2026, the investigation confirmed 53 victims across 42 countries, with suspected infections in at least 20 more nations spanning Africa, Asia, and the Americas.
That scope reflects nearly a decade of deliberate, focused effort targeting some of the world’s most sensitive communication infrastructure.
The campaign centered on a previously undocumented backdoor called GRIDTIDE.
Rather than using dedicated command servers, GRIDTIDE routes communications through Google Sheets — treating spreadsheet cells as a live messaging channel between the attacker and compromised machines.
This disguised malicious traffic as routine cloud activity, making it extremely difficult for standard network defenses to detect.
UNC2814 has no known overlap with the publicly reported Salt Typhoon group; it targets entirely different victims using distinct methods, tools, and procedures.
Google Cloud analysts identified GRIDTIDE after a Mandiant Threat Defense investigation flagged suspicious behavior on a customer’s CentOS Linux server.
A detection alert surfaced a binary named /var/tmp/xapt — crafted to resemble a common system tool — that had launched a shell with root-level privileges and was running commands to confirm complete machine control.
That discovery gave investigators the critical thread needed to unravel UNC2814’s full operation. The binary name xapt was deliberately chosen to impersonate the legacy package management utility found in Debian-based Linux systems.
GRIDTIDE infection lifecycle (Source – Google Cloud)
While the exact initial access vector has not been confirmed, UNC2814 has a history of breaking in by compromising internet-facing web servers and edge network devices.
Once inside, the group relied on legitimate built-in system tools to move laterally — a technique known as “living off the land” — avoiding new software that could trigger security alerts.
Targeted systems included machines holding personally identifiable information such as names, phone numbers, national ID numbers, and voter registration records, all consistent with PRC intelligence-collection priorities.
GRIDTIDE’s Persistence and Command-and-Control
After securing access, UNC2814 embedded GRIDTIDE by registering a systemd service at /etc/systemd/system/xapt.service.
The malware ran via the nohup command, ensuring it kept running well after the attacker’s session ended.
As a secondary communication channel, the group deployed SoftEther VPN Bridge, opening an encrypted outbound tunnel to external infrastructure that metadata suggests has been active since July 2018.
GRIDTIDE is a C-based backdoor capable of executing shell commands, uploading files to compromised hosts, and exfiltrating data.
It uses a 16-byte AES-128 encryption key to unlock its Google Drive configuration, which holds the service account credentials and Spreadsheet ID needed for C2 access.
Once connected, it clears the spreadsheet’s first 1,000 rows, fingerprints the victim machine — collecting hostname, OS version, local IP, and time zone — then stores that data in cell V1.
Commands arrive through cell A1, and results return through a defined cell range. All traffic is encoded in URL-safe Base64 to bypass web filters and network inspection tools.
GRIDTIDE execution lifecycle (Source – Google Cloud)
Organizations should monitor outbound HTTPS connections to Google Sheets API endpoints — especially requests involving batchClear, batchUpdate, and valueRenderOption=FORMULA — from non-browser processes.
Security teams should also check for systemd services in unexpected directories, binaries running from /var/tmp/, and SoftEther VPN components on Linux servers.
Applying GTIG’s published YARA rule for GRIDTIDE and cross-referencing the released IOC list with internal logs will help confirm whether any residual exposure from this campaign remains.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Google Disrupts Chinese Hackers Infrastructre which Breached 53 Telecom and Government Entities appeared first on Cyber Security News.
