Google broke up an international spy ring using… Sheets

The humble spreadsheet is an essential part of the modern workplace, one that you probably barely think about. But with global systems intricately interconnected and increasingly interconnected, it seems almost anything can be an attack vector. This is the case with Google Sheets. Google reports disrupting a large-scale cyberattack using the web app as a backdoor to spy on users.

Google’s Threat Intelligence Group, in collaboration with the Mandiant team (acquired by Google in 2022), points the finger at UNC2814, a group affiliated with China and active for almost a decade. According to the report, hackers created a backdoor using the Google Sheets API, allowing it to collect usernames, hostnames, IP addresses, and other information. There was no “infection” in the layman’s sense: it was more of a state-sponsored espionage campaign than a deliberate attempt at theft or sabotage.

The report claims that the “GRIDTIDE” system has been in place since 2023, with verified intrusions in 42 countries and 53 specific targets, with 20 countries suspected of being other targets. “This prolific reach is likely the result of a decade of concentrated effort,” Google says, focusing on telecommunications and government agencies.

The system has been disrupted, or at least is currently unusable, as far as the Threat Intelligence Group can tell. The accounts used to deploy the GRIDTIDE system have been shut down, along with the underlying domains and infrastructure, and affected victims have been officially notified.