Google and Allies Thwart Suspected Beijing Spy Operation, Disrupting Espionage Network

Google’s Threat Intelligence Group (GTIG) says the operation, dubbed UNC2814, leveraged a novel backdoor called Gridtide that abuses the Google Sheets API to hide command‑and‑control traffic. By masquerading C2 traffic as legitimate spreadsheet calls, the attackers could move laterally across compromised networks without triggering typical detection rules, GTIG reported. After gaining initial footholds—often through compromised web servers or edge devices—the group escalated privileges with a root‑level payload named “xapt,” a binary that mimics a standard Debian/Ubuntu tool to evade scrutiny. Once elevated, the intruders deployed Gridtide via a “nohup ./xapt” command, ensuring persistence even after the user logged off, and then opened encrypted tunnels using SoftEther VPN Bridge to exfiltrate data, according to the threat‑hunters’ technical brief.

The campaign, which GTIG uncovered while assisting a Mandiant investigation, affected 53 victims in 42 countries across the Americas, Asia, Africa and Europe, with suspected infections in at least 20 additional nations. The victims were primarily telecom operators and government agencies, sectors historically targeted by Chinese state‑aligned actors for surveillance of dissidents, activists and strategic intelligence gathering. “The kind of access UNC2814 achieved during this campaign would likely enable this kind of operation,” GTIG tech lead Dan Perez told The Register, noting that the group’s tactics align with previous PRC‑nexus espionage intrusions that focus on high‑value communications infrastructure.

In response, Google terminated every Google Cloud project that UNC2814 had commandeered and disabled all known infrastructure tied to the group. Access to the Google Sheets API for the compromised accounts was revoked, effectively cutting off the Gridtide backdoor’s C2 channel. While GTIG declined to name its industry partners, the coordinated takedown involved “other teams” that helped locate and dismantle the malicious assets, the report added. The effort marks the first time Google has publicly disclosed a direct intervention against a state‑linked espionage operation that weaponized its own productivity suite.

UNC2814 is not linked to the previously identified Salt Typhoon group, which has been blamed for a series of attacks on U.S. telecom firms since 2019. GTIG’s analysis confirms no overlap between the two, underscoring the breadth of Chinese cyber‑espionage activity that now spans multiple, independently operating threat actors. The distinction is important for defenders, as each group employs different toolchains and infrastructure—UNC2814’s reliance on Google Sheets, for example, contrasts sharply with Salt Typhoon’s more traditional malware drops.

The disruption comes amid heightened scrutiny of China’s cyber operations worldwide. Recent reports have highlighted Beijing‑linked actors embedding themselves in U.S. energy and telecom networks, prompting regulatory bodies such as the FCC to tighten security rules despite ongoing espionage risks. Google’s decisive action illustrates how cloud providers can leverage their control over platform APIs to neutralize threats that exploit their services, a tactic that may become a model for future defensive collaborations between tech firms and industry partners.