Overview
- Google Threat Intelligence Group, Mandiant and partners cut off UNC2814 after confirming breaches at 53 organizations across 42 countries, with telecoms and government agencies most affected.
- The group used a new C-based backdoor, GRIDTIDE, that treated Google Sheets as a covert command-and-control channel for shell commands and file transfers without exploiting a Google product flaw.
- Disruption actions terminated attacker-controlled Google Cloud projects, disabled accounts and infrastructure, revoked Sheets API access, sinkholed domains, and triggered direct victim notifications with published IoCs and guidance.
- Investigators did not directly observe data exfiltration, but GRIDTIDE was found on systems holding sensitive PII, consistent with surveillance-focused targeting.
- Google notes no overlap with the separate Salt Typhoon campaign, the Chinese Embassy rejects the allegations, and researchers expect UNC2814 to attempt to re-establish operations.