For nearly a decade, a suspected Chinese state-backed hacking group quietly burrowed into the world's phone networks — and they did it hiding in plain sight, inside one of the most ordinary tools on the internet: Google Sheets.
Google's Threat Intelligence Group (GTIG) and Mandiant revealed this week that they have dismantled a sweeping global espionage operation run by a threat actor tracked as UNC2814, active since at least 2017. By the time the disruption was executed, the group had confirmed footholds inside 53 organisations across 42 countries — spanning telecoms and government agencies on four continents — with suspected infections in at least 20 more nations.
The Clever Trick That Made This So Hard to Catch
The campaign's defining feature was a novel backdoor called GRIDTIDE — a sophisticated piece of malware written in C that turned Google Sheets into a covert communication channel. Rather than connecting to a suspicious server that security tools might flag, GRIDTIDE sent and received instructions through Google's own Sheets API (the interface that lets apps read and write spreadsheet data). To any network monitoring tool, it looked like routine cloud traffic.
Once installed, the malware would silently poll a specific cell (A1) in an attacker-controlled spreadsheet, waiting for instructions. Commands told it to execute shell commands on the victim's system, download files, or exfiltrate data — all broken into chunks and posted back into the spreadsheet's rows. The attackers encrypted configurations using AES-128 and obfuscated all transferred data with URL-safe Base64 encoding to further dodge detection.
"This activity is not the result of a security vulnerability in Google's products," Google clarified — the attackers were simply abusing legitimate functionality to make their malicious traffic appear normal.
The targets tell a clear story. Telecommunications companies were the primary focus. On one compromised system, GRIDTIDE was planted on an endpoint storing deeply personal records — full names, phone numbers, dates of birth, national ID numbers, and voter IDs.
Google assessed that this is consistent with surveillance-driven espionage: the kind of access that enables a state actor to track dissidents, activists, journalists, and diplomatic targets through their own carriers.
Historical PRC-linked telecom intrusions have been used to steal call data records, intercept unencrypted SMS messages, and abuse lawful intercept systems — the legal wiretapping infrastructure built into every major carrier.
The Takedown
Google and its partners moved to dismantle UNC2814's infrastructure by terminating all attacker-controlled Google Cloud projects, disabling their service accounts, revoking API access, and sinkholing (redirecting) domains the group had relied on since at least 2023. Affected organisations have been formally notified.
This attack required no zero-day exploits. UNC2814 typically gains initial access by exploiting internet-exposed web servers and edge devices — a reminder that patching public-facing systems promptly remains one of the most effective defences available.
For security teams, Google has released detection rules and hunting queries for Google SecOps, specifically targeting suspicious Google Sheets API connections from non-browser processes and shell executions originating from the /var/tmp/ directory.
The attackers will likely try to rebuild. The question is whether defenders will be watching.