Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Violations in 42 Countries
Google on Wednesday disclosed that it has worked with industry partners to disrupt the infrastructure of an alleged China-nexus cyber espionage group that is being followed by UNC2814 which has breached at least 53 organizations in 42 countries.
“This prominent actor has a long history of targeting international governments and telecommunications organizations around the world in Africa, Asia, and the Americas,” Google Threat Intelligence Group (GTIG) and Mandiant said in a report published today.
UNC2814 is also suspected to be linked to additional infections in more than 20 other nations. The technology giant, which has been tracking the threat actor since 2017, has been seen using API calls to communicate with software-as-a-service (SaaS) applications such as command and control (C2) infrastructure. The idea, he added, is to disguise their malicious traffic as legitimate.
Central to the hacking group’s operations is a novel backend called GRIDTIDE that exploits the Google Sheets API as a communication channel to hide C2 traffic and facilitate the transmission of raw data and shell commands. It is a C-based malware that supports file upload/download and arbitrary execution of shell commands.
How exactly UNC2814 gains initial access is still a subject of investigation, but the group is said to have a history of exploiting and compromising web servers and endpoint systems.
An attack mounted by a threat actor used a service account to bypass the environment via SSH. Also working are living-off-the-land (LotL) binaries to conduct investigations, escalate privileges, and stop backdoor persistence.
“To achieve persistence, the threat actor created a malware service in /etc/systemd/system/xapt.service, and once enabled, a new instance of the malware was started in /usr/sbin/xapt,” Google explained.
Another notable feature is the deployment of the SoftEther VPN Bridge to establish an encrypted outgoing connection to an external IP address. It is worth mentioning here that the SoftEther VPN hack has been linked to many Chinese hacking groups.
There is evidence to suggest that GRIDTIDE is being released to storage facilities that contain personally identifiable information (PII), a feature relevant to cyber espionage work focused on monitoring individuals of interest. Google, however, noted that it did not see any data leakage occurring during the campaign.
 |
| GRIDTIDE execution lifecycle |
The GRIDTIDE method of C2 includes a cell-based voting method, where certain roles are assigned to specific cells of the spreadsheet to enable bi-directional communication –
- A1, polling the attacker’s commands and overwriting the status response (eg, SCR or Server-Command-Success)
- A2-An, to transfer data, such as command output and files
- V1, to store system data from the victim’s storage
As part of the action, Google said it has terminated all Google Cloud Projects controlled by the attacker, disabled all known UNC2814 infrastructure, and blocked access to attacker-controlled accounts and Google Sheets API calls authorized by the actor for control and monitoring purposes (C2).
The technical official described UNC2814 as one of the “far-reaching, impactful campaigns” encountered in recent years, adding that it has issued official notifications to the victims of the target and that it actively supports organizations with confirmed reductions caused by this threat.
The latest acquisition is one of several simultaneous efforts by Chinese state groups to embed themselves in long-haul networks. The development also highlights that the network edge continues to dominate cyber-exploitation efforts, with threat actors often exploiting weaknesses and vulnerabilities in things like this as a common entry point into corporate networks.
These devices have become attractive targets in recent years as they often lack the ability to detect malware, but provide direct network access or pivot points to internal services when compromised.
“The global scope of UNC2814’s activity, evidenced by confirmed or suspected activities in more than 70 countries, underscores the serious threat facing the telecommunications and government sectors, and the power of these intrusions to avoid detection by defenders,” Google said.
“Major interventions of this scale are often the result of years of concentrated effort and cannot be easily undone. We expect that UNC2814 will work hard to re-establish its global position.”
