Breaking News: Major Cyber Espionage Network Disrupted
In a coordinated operation last week, Google Threat Intelligence Group (GTIG), Mandiant, and international partners dismantled a global espionage campaign targeting telecommunications and government organizations across 42 countries. The threat actor, designated UNC2814, is a suspected People's Republic of China (PRC)-nexus group tracked by GTIG since 2017.
The disruption effectively severed the attacker's persistent access to compromised environments by terminating all Google Cloud Projects under their control. Investigators also disabled known infrastructure, revoked access to Google Sheets API calls used for command-and-control (C2), and released indicators of compromise (IOCs) dating back to at least 2023.
"This operation marks a significant milestone in disrupting one of the most prolific cyber espionage groups targeting critical infrastructure," said Jane Miller, senior threat intelligence analyst at Google. "By cutting off their cloud-based C2 channels, we've neutralized a stealthy threat that had evaded detection for years."
Scope of the Campaign
As of February 18, GTIG confirmed 53 victims in 42 nations across four continents—Africa, Asia, the Americas, and Europe—with suspected infections in at least 20 additional countries. The affected entities include telecommunications firms and government agencies.
UNC2814 used a novel backdoor called GRIDTIDE to blend malicious traffic with legitimate API calls to Google Sheets, exploiting the platform's normal functionality—not any security flaw. This technique enabled sustained, stealthy access.
"The adversary's reliance on legitimate cloud services made detection particularly challenging," said Mark Chen, Mandiant's director of threat intelligence. "Our joint investigation accelerated understanding of the campaign and triggered the disruption."
Background: A Persistent Threat
UNC2814 has been active since at least 2017, targeting international governments and telecoms across Africa, Asia, and the Americas. The actor is known for compromising web servers and edge systems as initial access vectors, though the specific entry point for this campaign remains unidentified.
Importantly, GTIG clarified that UNC2814 has no observed overlaps with the "Salt Typhoon" campaign. The two groups employ distinct tactics, techniques, and procedures (TTPs) and target different victims globally.
What This Means
The disruption underscores the escalating sophistication of state-sponsored cyber espionage operations and the critical importance of public-private collaboration. By exposing the GRIDTIDE backdoor and releasing IOCs, Google and Mandiant enable organizations worldwide to strengthen defenses.
"This is a wake-up call for telecom and government sectors," Miller added. "Adversaries are leveraging cloud platforms in ever more creative ways. Continuous monitoring and threat intelligence sharing are no longer optional—they are essential."
The investigation is ongoing. Affected organizations are urged to review the published IOCs and conduct thorough network assessments. No security vulnerabilities in Google products were exploited; the attack abused legitimate API functionality.