Google Disrupts UNC2814 Chinese Espionage Group Breached 53 Telecoms and Governments Across 42 Countries Using Google Sheets C2

• .What: A PRC-nexus espionage group deployed a novel backdoor that abused Google Sheets API as command-and-control infrastructure to maintain persistent access across 53 telecommunications and government organizations in 42 countries for nearly a decade.
• .Who: 53 confirmed victim organizations across 42 countries on four continents. Primarily telecommunications providers and government agencies in Africa, Asia, and the Americas. Suspected infections in 70+ countries total.
• .How: Initial access via exploitation of public-facing web servers and edge devices (MITRE ATT&CK T1190). GRIDTIDE C-based backdoor for persistent access. Google Sheets API for C2 communications. SoftEther VPN Bridge for encrypted tunneling. SSH for lateral movement. Systemd service for persistence.
• .Data: Full names, phone numbers, dates and places of birth, national identification numbers, voter ID numbers. Telecom infrastructure access enables collection of call data records, SMS content, subscriber metadata, and surveillance targeting of specific individuals.
• .Actor: UNC2814 (Google/Mandiant designation). Suspected PRC-nexus. Active since at least 2017. No observed overlap with Salt Typhoon (UNC5807). Distinct operational cell within China's cyber espionage apparatus.
• .Impact: Decade-long persistent espionage access across 42 countries. Potential signals intelligence collection at global scale. Campaign disrupted but Google expects UNC2814 to attempt re-establishment.

Google Threat Intelligence Group first identified UNC2814 in 2017 through its ongoing tracking of PRC-nexus threat actors.

The group operated for nearly a decade, systematically compromising telecommunications providers and government agencies across Africa, Asia, and the Americas. As of February 18, 2026, GTIG confirmed 53 intrusions across 42 countries on four continents.

Suspected infections extend to at least 20 additional countries, bringing the total suspected footprint to more than 70 nations.

UNC2814's operational methodology followed a consistent pattern. Initial access was achieved by exploiting vulnerabilities in public-facing web servers and edge systems - internet-exposed infrastructure that often lacks the monitoring coverage of internal networks.

Google did not disclose specific CVEs exploited by UNC2814 in this campaign but noted the group's historical reliance on this attack vector. In several documented cases, UNC2814 exploited known but unpatched vulnerabilities in internet-facing VPN appliances.

Once inside a target network, the attackers performed reconnaissance using living-off-the-land techniques - legitimate system administration tools including PowerShell, WMI, and PsExec - before deploying their primary implant.

The investigation that led to the disruption began during a Mandiant engagement with a customer whose environment exhibited suspicious activity. Mandiant's analysis revealed the presence of GRIDTIDE and traced the infrastructure back to UNC2814's broader campaign.

Google then coordinated with unnamed industry partners, CISA, the UK National Cyber Security Centre (NCSC), and several European cybersecurity agencies to map the full scope of UNC2814's operations and execute a coordinated takedown.

On February 25, 2026, GTIG and Mandiant publicly disclosed the campaign and the disruption actions.

Google terminated all Google Cloud Projects controlled by UNC2814, effectively severing persistent access to every environment compromised via GRIDTIDE. All attacker accounts were disabled. All Google Sheets API access used for C2 communications was revoked.

Both current and historical domains associated with UNC2814 were sinkholed in collaboration with partners. All 53 confirmed victim organizations were notified and offered cleanup support.

GTIG published indicators of compromise dating to 2023 and released detection signatures to block GRIDTIDE activity.

UNC2814 is a suspected PRC-nexus cyber espionage group that Google Threat Intelligence Group has tracked since 2017. The "UNC" designation indicates an "uncategorized" cluster - a set of observed intrusion activities that GTIG has not yet merged with a named or numbered threat group.

Despite nearly a decade of tracking, Google has not publicly linked UNC2814 to a specific Chinese intelligence service, military unit, or contractor.

Google confirmed that UNC2814 has no observed operational overlap with Salt Typhoon (tracked as UNC5807 by Google, and as OPERATOR PANDA, RedMike, and GhostEmperor by other vendors) - the PRC-linked group that compromised AT&T, Verizon, T-Mobile, and other major U.S. telecommunications firms in a campaign disclosed by U.S. authorities in late 2024. UNC2814 and Salt Typhoon target the same sector - telecoms - and pursue the same strategic objective - signals intelligence collection through infrastructure compromise - but use different techniques, target different victims, and appear to operate as distinct cells within China's sprawling cyber espionage ecosystem.

A joint Cybersecurity Advisory (AA25-239A), published by CISA, NSA, FBI, and allied Five Eyes agencies in August 2025, addressed Salt Typhoon and related PRC actors but did not reference UNC2814 or GRIDTIDE - confirming that UNC2814's operations were not yet publicly known at that time.

" The kind of persistent access UNC2814 achieved across 42 countries' telecommunications infrastructure would enable bulk collection of call data records, interception of unencrypted SMS messages, real-time surveillance of specific phone numbers, and abuse of lawful intercept systems - the same capabilities that Salt Typhoon exploited against U.S. carriers.

Google assessed that "prolific intrusions of this scale are generally the result of years of focused effort" and expects UNC2814 to "work hard to re-establish their global footprint" using new infrastructure.

The disruption severed existing access but did not eliminate the group's capability or intent.

Google did not directly observe data exfiltration during the disrupted operation. However, the nature of the access - persistent backdoor presence on telecom and government infrastructure across 42 countries - creates an exposure surface that dwarfs a typical data breach:

• .Personally identifiable information: In at least one confirmed case, GRIDTIDE was deployed on systems containing full names, phone numbers, dates and places of birth, national identification numbers, and voter identification numbers. This data enables identity fraud and targeted surveillance.

• .Telecommunications metadata: Persistent access to telecom infrastructure enables collection of call data records (CDRs) - who called whom, when, for how long, and from where. CDRs reveal social networks, movement patterns, and communication habits without requiring voice content interception.

• .SMS content: Unencrypted SMS messages - still widely used for two-factor authentication, banking notifications, and personal communications - are accessible to an attacker with telecom infrastructure access.

• .Lawful intercept systems: Telecom providers maintain lawful intercept capabilities mandated by government regulation. An attacker with administrative access to these systems can conduct wiretapping at scale without the knowledge of the telecom operator.

• .Subscriber databases: Telecom subscriber records include names, addresses, identification documents, payment information, and device identifiers for every customer - potentially hundreds of millions of individuals across 42 countries.

• .Government communications: Access to government agency networks enables collection of classified and sensitive communications, policy deliberations, diplomatic correspondence, and intelligence assessments.

The permanence of this exposure is significant. National identification numbers and voter IDs cannot be changed. Telecommunications metadata collected over a decade cannot be un-collected.

Surveillance intelligence gathered from intercepted communications has already been consumed by whatever entity directed UNC2814's operations.

1. Exploitation of public-facing web servers and edge devices (T1190). UNC2814 gained initial access by exploiting vulnerabilities in internet-facing infrastructure - including known but unpatched vulnerabilities in VPN appliances.

This is the most common initial access vector for PRC-nexus groups and the most preventable.

Edge devices - VPN gateways, firewalls, and web application servers - are frequently left unpatched because organizations prioritize endpoint and server patching over network infrastructure.

2. Abuse of legitimate cloud services for C2 (T1102.002). GRIDTIDE's use of Google Sheets API for command-and-control was its most innovative and dangerous capability.

All C2 traffic appeared as legitimate HTTPS requests to sheets.googleapis.com - a domain that network defenders cannot block without disrupting legitimate Google Workspace functionality. The C2 protocol used URL-safe Base64 encoding that blended with normal API traffic.

Standard network detection tools, firewalls, and proxy servers pass this traffic without inspection. This is not a vulnerability in Google's products - it is an abuse of legitimate functionality that exploits the implicit trust organizations place in major cloud platforms.

GRIDTIDE's C2 mechanism used a cell-based polling system within a Google Spreadsheet. Cell A1 served as the command channel: the attacker wrote commands, and the backdoor overwrote A1 with status codes (such as "S-C-R").

Cells A2 through An served as the data transfer channel for command output and exfiltrated files. Cell V1 stored the victim system fingerprint - username, hostname, OS details, local IP address, locale, and timezone.

The backdoor polled A1 every second for 120 attempts, then switched to randomized 5-to-10-minute intervals.

GRIDTIDE supported three command types: "C" for executing Base64-encoded bash commands with output written back to the spreadsheet; "U" for uploading data from cells A2:A to an encoded filepath on the victim system; and "D" for downloading local files in approximately 45KB fragments to cells A2 through An.

Upon initialization, GRIDTIDE sanitized its spreadsheet by deleting the first 1,000 rows across columns A through Z using the batchClear API method - preventing command or data interference from prior sessions.

The backdoor authenticated to Google Cloud using a hardcoded private key for a Google Service Account, requiring a 16-byte cryptographic key to decrypt its Google Drive configuration containing service account credentials, spreadsheet IDs, and private keys.

Google notes that the Google Sheets API rate limit of 300 requests per minute per project constrained but did not prevent GRIDTIDE's operations.

3. Failure to detect systemd persistence (T1543.002). GRIDTIDE achieved boot-persistent access by creating a systemd service at /etc/systemd/system/xapt.service that spawned the backdoor from /usr/sbin/xapt. /xapt" to survive session closure.

The binary name "xapt" was deliberately chosen to mimic a legitimate Debian/Ubuntu package management tool, evading casual review. New systemd service installations on production telecom and government servers should trigger immediate alerts.

4. Absence of network segmentation allowing SSH lateral movement (T1021.004).

After establishing a foothold, UNC2814 moved laterally through compromised networks using SSH. This indicates insufficient segmentation between externally facing systems and internal infrastructure containing sensitive data, subscriber databases, and administrative interfaces.

5. SoftEther VPN Bridge for encrypted tunneling. UNC2814 deployed SoftEther VPN Bridge to establish outbound encrypted connections to external IP addresses.

VPN configuration metadata indicates this specific infrastructure had been in use since at least July 2018 - seven years before discovery.

An unauthorized VPN bridge on production telecom infrastructure should be detectable through endpoint detection and response tools, application whitelisting, and network traffic analysis.

6. Lack of cloud identity governance. GRIDTIDE authenticated to Google Cloud using a hardcoded private key for a service account.

The existence of unauthorized or anomalous Google Cloud service accounts should be visible through Cloud Security Posture Management (CSPM) tools and identity governance platforms.

No victim organization detected the unauthorized service account activity over the course of the campaign.

7. Nine years without detection. UNC2814 maintained operations from at least 2017 to February 2026 across 53 confirmed organizations.

This duration indicates systemic failures in threat hunting, anomaly detection, and intelligence sharing across the global telecommunications and government sectors.

The campaign was ultimately discovered during a Mandiant customer engagement - not through any victim organization's own detection capabilities.

Threat Actor:

• .UNC2814 (Google/Mandiant designation)
• .Suspected PRC-nexus cyber espionage actor
• .Active since at least 2017

Malware:

• .GRIDTIDE - Novel C-based backdoor using Google Sheets API as C2
• .Cell A1: Commands from operator
• .Cells A2-An: Data exfiltration channel

C2 Infrastructure:

• .Google Sheets API (legitimate service abused as bidirectional C2)
• .Google Calendar (fallback C2 channel)
• .BitTorrent DHT (tertiary C2 channel)

Campaign Scope:

• .53 confirmed victim organizations across 42 countries
• .Suspected infections in 70+ countries total
• .Primary targets: Telecommunications providers and government agencies

Google Response:

• .Terminated all attacker-controlled Cloud projects
• .Disabled attacker accounts
• .Revoked Google Sheets API access
• .Sinkholed current and historical domains
• .Notified all 53 confirmed victims

• .T1102.002 - Web Service: Bidirectional Communication (Google Sheets C2)
• .T1071.001 - Application Layer Protocol: Web Protocols
• .T1567.002 - Exfiltration Over Web Service

This campaign affects organizations across 42 confirmed countries and potentially 70+ nations. The regulatory exposure is correspondingly global:

• .GDPR (EU) - Articles 5(1)(f), 32, 33, and 34. Any EU-based telecom or government agency compromised by UNC2814 failed to ensure the integrity and confidentiality of personal data, failed to implement appropriate security measures, and may have failed to notify the relevant supervisory authority within 72 hours. Telecom subscriber data and national ID numbers represent high risk to individuals, triggering individual notification under Article 34. Fines: up to 20 million euros or 4% of annual global turnover, whichever is greater. For major European telecoms with revenues in the tens of billions, theoretical maximum fines reach hundreds of millions of euros.

• .NIS2 Directive (EU) - Telecommunications providers are designated as essential entities under NIS2. Compromised EU telecoms face mandatory incident reporting (24-hour early warning, 72-hour notification, one-month final report) and administrative fines of up to 10 million euros or 2% of total annual worldwide turnover.

• .UK GDPR / DPA 2018 - Any compromised UK telecoms or government bodies face ICO enforcement. Fines up to 17.5 million pounds or 4% of annual global turnover.

• .United States - FCC rules require notification of breaches of customer proprietary network information (CPNI). SEC 8-K material incident disclosure applies to publicly traded US telecoms (4 business day deadline). FTC Act Section 5 covers unfair and deceptive practices related to data security failures.

• .Saudi Arabia PDPL - Fines up to SAR 5 million (~$1.3 million). NCA Essential Cybersecurity Controls mandate specific security requirements for critical infrastructure including telecoms. SDAIA enforcement.

• .UAE PDPL (Federal Decree-Law No. 45/2021) - Fines up to AED 10 million. TDRA telecom regulations impose additional requirements. DIFC and ADGM free zones have separate frameworks.

• .Bahrain PDPL - Applicable to any compromised Bahraini telecoms or government entities.

• .Qatar PDPA - QFC Data Protection Office oversight.

• .Oman PDPL - Ministry of Transport, Communications and IT oversight.

• .Egypt - Data Protection Law No. 151/2020 for any affected Egyptian organizations.

• .Switzerland revFADP - Personal liability on individuals, with fines up to CHF 250,000 for natural persons.

• .National security implications (all jurisdictions) - Beyond data protection law, a nine-year espionage campaign against telecommunications and government infrastructure implicates national security laws in every affected country. The intelligence value of decade-long access to telecom infrastructure across 42 countries cannot be quantified in regulatory fines alone.

1. Implement aggressive patch management for edge devices and internet-facing infrastructure. All internet-facing devices - VPN gateways, firewalls, web application servers, and edge appliances - must be patched within 24-48 hours of critical vulnerability disclosure.

CISA's Known Exploited Vulnerabilities (KEV) catalog should trigger emergency patching. Dedicated patch cycles for edge infrastructure should run independently of general IT patching cadences.

2. Deploy cloud API usage monitoring and anomaly detection. Organizations must monitor which processes make API calls to cloud services and alert on non-browser processes communicating with sheets.googleapis.com, drive.googleapis.com, or equivalent cloud productivity APIs.

Sigma detection rules published by GTIG should be implemented immediately. Cloud Access Security Broker (CASB) tools and network detection platforms should flag anomalous API traffic patterns.

3. Monitor systemd service creation and unauthorized binary deployment on Linux servers. New systemd service installations should trigger alerts in EDR and SIEM platforms.

File integrity monitoring on critical system directories (/usr/sbin/, /var/tmp/, /etc/systemd/system/) is essential for telecommunications and government Linux infrastructure. Application whitelisting should prevent execution of unauthorized binaries.

4. Enforce network segmentation between internet-facing systems and internal infrastructure.

Zero-trust network architecture, micro-segmentation, and strict firewall rules between network zones would have limited the blast radius of initial compromise and prevented SSH-based lateral movement to systems containing subscriber data and administrative interfaces.

5. Detect and block unauthorized VPN deployments. Endpoint detection and response tools, application whitelisting, and network traffic analysis should identify SoftEther VPN Bridge installations and other unauthorized tunneling software.

Outbound encrypted connections to unknown external IP addresses from production telecom infrastructure should trigger immediate investigation.

6. Implement cloud identity governance and posture management. Cloud Security Posture Management (CSPM) tools should inventory all cloud service accounts, flag accounts with static or hardcoded credentials, and alert on unexpected API usage patterns.

Unauthorized Google Cloud service accounts performing Sheets API operations should be detectable and would have exposed the GRIDTIDE C2 infrastructure.

Google Cloud Blog (GTIG), The Hacker News, BleepingComputer, The Record (Recorded Future News), SecurityWeek, The Register, Infosecurity Magazine, SC Media, Security Affairs, Cybersecurity Dive, CPO Magazine, Industrial Cyber, Mandiant, CISA (AA25-239A related advisory), Picus Security, SafeBreach, AttackIQ