Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries
Source: The Hacker News
Ravie Lakshmanan
Feb 25, 2026 – Cyber Espionage / Network Security
Google disclosed on Wednesday that it worked with industry partners to disrupt the infrastructure of a suspected China‑nexus cyber‑espionage group tracked as UNC2814. The group has breached at least 53 organizations across 42 countries.
“This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas,” said the Google Threat Intelligence Group (GTIG) and Mandiant in a report published today.
Read the full report
UNC2814 is also suspected of additional infections in more than 20 other nations. The tech giant, which has been tracking the threat actor since 2017, observed the use of API calls to communicate with software‑as‑a‑service (SaaS) apps as command‑and‑control (C2) infrastructure. The idea is to disguise malicious traffic as benign.
Dan Perez, GTIG researcher, told The Hacker News via email that Google cannot confirm whether all intrusions involved the GRIDTIDE backdoor. “We believe many of these organizations have been compromised for years.”
GRIDTIDE Backdoor
- Communication channel: Google Sheets API
- Functionality: C‑based malware that supports file upload/download and execution of arbitrary shell commands
- Persistence: Created a systemd service at
/etc/systemd/system/xapt.service; the malware runs from/usr/sbin/xapt
Exactly how UNC2814 obtains initial access remains under investigation, but the group has a history of exploiting and compromising web servers and edge systems.
Attacks have leveraged a service account to move laterally via SSH and used living‑off‑the‑land (LotL) binaries for reconnaissance, privilege escalation, and persistence.
“To achieve persistence, the threat actor created a service for the malware at
/etc/systemd/system/xapt.service, and once enabled, a new instance of the malware was spawned from/usr/sbin/xapt,” Google explained.
Another noteworthy aspect is the deployment of SoftEther VPN Bridge to establish an outbound encrypted connection to an external IP address. Abuse of SoftEther VPN has been linked to multiple Chinese hacking groups:
- China‑linked Flax Typhoon cyber campaign (2023)
- Various Chinese cyber‑crime groups (2025)
- China‑linked UAT‑8099 targeting IIS (2026)
There is evidence that GRIDTIDE is dropped on endpoints containing personally identifiable information (PII), consistent with espionage focused on monitoring persons of interest. Google noted that it did not observe any data exfiltration during the campaign.
GRIDTIDE Execution Lifecycle
C2 mechanism: a cell‑based polling system in a Google Sheet. Specific cells have defined roles for bidirectional communication:
| Cell | Purpose |
|---|---|
| A1 | Poll for attacker commands; overwritten with status response (e.g., S‑C‑R – Server‑Command‑Success) |
| A2‑An | Transfer data such as command output and files |
| V1 | Store system data from the victim endpoint |
Google’s Response
- Terminated all Google Cloud projects controlled by the attacker
- Disabled all known UNC2814 infrastructure
- Cut off access to attacker‑controlled accounts and Google Sheets API calls used for C2
Google described UNC2814 as one of the “most far‑reaching, impactful campaigns” encountered in recent years. Formal victim notifications have been issued, and Google is actively supporting organizations with verified compromises.
The discovery is one of many concurrent efforts by Chinese nation‑state groups to embed themselves into networks for long‑term access. It also highlights that the network edge continues to bear the brunt of internet‑wide exploitation attempts, with threat actors frequently exploiting vulnerabilities and misconfigurations in edge appliances as a common entry point into enterprise networks.
These appliances have become attractive targets in recent years because they typically lack endpoint malware detection, yet provide direct network access or pivot points to internal systems.
Read more on the edge‑security landscape (2026)
“The global scope of UNC2814’s activity, evidenced by confirmed or suspected operations in over 70 countries, underscores the serious threat facing telecommunications and government sectors, and the capacity for these intrusions to evade detection by defenders,” – Google
“Prolific intrusions of this scale are generally the result of years of focused effort and will not be easily re‑established. We expect that UNC2814 will work hard to re‑establish its global footprint.” – Google
Find more content like this
Follow us for exclusive updates:
Share this article
| Platform | Link |
|---|---|
#link_share | |
#link_share | |
#link_share | |
#link_share | |
| Hacker News | #link_share |
#link_share | |
#link_share | |
| Facebook Messenger | #link_share |
| Telegram | #link_share |
(Replace #link_share with the actual sharing URLs as needed.)
Tags
Command and Control •
cyber espionage •
cybersecurity •
Google Cloud •
Malware •
network security •
Threat Intelligence