Hackers working for the Chinese government broke into more than 50 telecommunications companies and government agencies in 42 countries, in a campaign that exploited cloud platforms’ legitimate features to hide the attackers’ tracks.
“The attacker was using API calls to communicate with [software-as-a-service] apps as command-and-control (C2) infrastructure to disguise their malicious traffic as benign,” researchers at Google’s Threat Intelligence Group and Mandiant said in a report on Wednesday.
Google said the “prolific, elusive” China-linked hacker team, which it tracks as UNC2814, “has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas.”
The group breached 53 organizations worldwide as part of the latest campaign, a massive scope that Google said likely reflected “a decade of concentrated effort.”
“Prolific intrusions of this scale are generally the result of years of focused effort and will not be easily re-established,” Google researchers wrote. “We expect that UNC2814 will work hard to re-establish their global footprint.”
UNC2814, which is distinct from the threat actor responsible for Beijing’s Salt Typhoon campaign, “has a history of gaining entry by exploiting and compromising web servers and edge systems,” Google said. Researchers have tracked its activities since 2017.
Commandeering a collaboration platform
In the latest operation — which Google and its partners disrupted last week by seizing the attackers’ infrastructure — the UNC2814 hackers deployed backdoor malware dubbed “GRIDTIDE” that they controlled through an elaborate abuse of the Google Sheets API.
GRIDTIDE looked for commands in cell A1 and then overwrote the cell’s data with a status report on its activities, according to Google’s report. The hackers used nearby cells to transfer additional tools to victim machines and exfiltrate files from them.
“Once the Sheet is prepared, the backdoor conducts host-based reconnaissance,” Google said, including collecting information about the target machine, its user, and its network environment. “This information is then exfiltrated and stored in cell V1 of the attacker-controlled spreadsheet.”
The campaign’s clever techniques and widespread impact highlight “the serious threat facing telecommunications and government sectors, and the capacity for these intrusions to evade detection by defenders,” Google warned.
Although the campaign is distinct from Salt Typhoon, Google said it seemed to have a similar goal, describing it as “consistent with cyber espionage activity in telecommunications, which is primarily leveraged to identify, track, and monitor persons of interest.”
Knocking the attackers offline
In response to the hacking campaign, Google disabled the attackers’ cloud platform access, and the company and its partners sinkholed the threat actor’s web domains.
“We terminated all Cloud Projects controlled by the attacker, effectively severing their persistent access to environments compromised by the GRIDTIDE backdoor,” the researchers wrote.
Google also released indicators of compromise associated with infrastructure the group has been using since 2023, updated its signature-based malware detections to spot GRIDTIDE and provided search queries that its cloud security customers could use to scan for potential compromises in their environments.
The company said it had notified victims of the campaign.
