Google takes down telecom hackers using Sheets and SaaS apps to spread mayhem
- Google, Mandiant and Partners Disrupted UNC2814 Spy Campaign
- Group used GridTide backdoor leveraging Google Sheets API for C2
- The operation has affected 53 organizations in 42 countries since 2023; attacker’s infrastructure and accounts disabled
Google has successfully dismantled a global spy network that targeted governments and telecommunications organizations in more than 40 countries around the world.
In a new research report, Google said its Threat Intelligence Group (GTIG), working with Mandiant and other partners, discovered a threat actor affiliated with the Chinese state, tracked as UNC2814, who was conducting a new espionage campaign.
In this new campaign, the group deployed a previously unreleased backdoor malware called GridTide, which leveraged the Google Sheets API for C2 infrastructure. Instead of connecting to a remote server somewhere to receive instructions and exfiltrate data, the backdoor sends HTTPS requests to legitimate Google infrastructure, mixing in with normal company traffic and thus not triggering any alarms.
Disrupt attackers
All commands are stored in a spreadsheet cell of a document owned by the attackers. Operators insert coded instructions into specific lines or cells, then the malware periodically checks, decodes, and executes them.
In some cases, the exfiltrated data can also be written back to the sheet. However, GTIG said it has not observed any cases of data exfiltration.
UNC2814 is a relatively well-known threat actor, with reports of its activity dating back to 2017 and possibly earlier.
The campaign began in 2023 and has reached at least 53 organizations in 42 countries. Google suspects that UNC2814 is present in at least 20 other countries. Most of Latin America, Eastern Europe, Russia, parts of Africa and South Asia appear to have been affected. With the exception of Portugal, Western Europe is essentially spared. The United States was also unaffected.
As part of the disruption efforts, Google terminated all Google Cloud projects controlled by the attackers, cutting off their persistent access to environments compromised by GridTide. They identified and disabled all known UNC2814 infrastructure, disabled the attackers’ accounts, and revoked access to Google Sheets API calls. Finally, it released a set of IoCs related to UNC2814 infrastructure active since at least 2023.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
