UNC2814 — A Decade of Silent Global Espionage

There's something almost unsettling about this when you really sit with it. A hacking group, suspected to be backed by the Chinese state, has been quietly tunneling through telecom and government networks across four continents — and they used Google Sheets to do it. Not some exotic, dark-web tool. Google Sheets. The same app your coworker uses to track a vacation budget.

Google's Threat Intelligence Group (GTIG), working alongside Mandiant and a broader coalition of partners, confirmed that the threat actor — tracked internally as UNC2814 — has been active since at least 2017. That's nearly a decade of sustained, focused, global operations. By the time the disruption was executed in February 2026, the group had confirmed intrusions in 53 organizations across 42 countries on four continents, with suspected activity in at least 20 additional nations.

UNC2814 is a suspected People's Republic of China (PRC)-nexus cyber espionage group. Its focus has been consistent: international governments and telecommunications organizations across Africa, Asia, and the Americas. Most of Latin America, Eastern Europe, Russia, parts of Africa, and parts of South Asia were hit. Western Europe — with the notable exception of Portugal — and the United States were largely untouched.

And critically: UNC2814 has no observed overlaps with Salt Typhoon, the separately reported PRC-linked telecom threat actor. These are distinct groups using distinct tools and tactics.

The GRIDTIDE Backdoor — Hiding in Plain Sight Inside Google Sheets

What GRIDTIDE Actually Does

GRIDTIDE is a sophisticated C-based backdoor capable of executing arbitrary shell commands, uploading files, and downloading files to and from compromised systems. But what makes it genuinely clever — and genuinely alarming — is how it communicates with its operators.

Instead of reaching out to a suspicious remote server that any decent network monitor might flag, GRIDTIDE sends HTTPS requests to legitimate Google infrastructure. Specifically, it uses the Google Sheets API as its command-and-control (C2) channel. To a network monitor, that traffic looks identical to a developer querying a spreadsheet. Because it is.

This isn't exploitation of a security flaw in Google's products. That's an important distinction. UNC2814 relied on legitimate Google Sheets API functionality working exactly as intended — they just abused it. The malicious traffic blended seamlessly with normal enterprise cloud activity, raising no alarms.

How the Spreadsheet Becomes a Command Terminal

GRIDTIDE treats a Google Spreadsheet not as a document, but as a live communication channel. Here's how the mechanics work:

When executed, the malware first sanitizes the spreadsheet by deleting the first 1,000 rows across columns A to Z using the batchClear API method. This clears any residual data from previous sessions without leaving obvious artifacts.

Then it fingerprints the victim system — collecting username, endpoint name, OS details, local IP address, current working directory, language settings, and local time zone — and writes that encoded metadata to cell V1 of the attacker-controlled sheet.

From there, GRIDTIDE enters a cell-based polling loop:

  • Cell A1 — The malware polls this cell continuously for operator commands. If no command exists, it sleeps for one second and checks again. After 120 failed checks, it extends the sleep to a random 5–10 minutes — likely to reduce noise when operators aren't active.
  • Cells A2 through An — Used for data transfer: command output, tool uploads, or file exfiltration.
  • Cell V1 — Stores the victim system metadata, updated each time the backdoor initializes.

Commands follow a structured four-part syntax: ---. The operator inserts encoded instructions into specific cells; GRIDTIDE decodes and executes them, then posts a Server status response back into cell A1 confirming success (S-C-R) or reporting an error.

Encryption and Obfuscation Layers

GRIDTIDE doesn't communicate in plain text. The malware expects a 16-byte cryptographic key stored in a separate file on the compromised host at execution time. It uses this key to decrypt its Google Drive configuration data via AES-128 in Cipher Block Chaining (CBC) mode. That configuration holds the Google Service Account credentials and the Spreadsheet ID needed to access the attacker's command sheet.

For all data sent and received over the API, GRIDTIDE uses a URL-safe Base64 encoding scheme — replacing standard characters (+ and /) with URL-friendly alternatives (- and _). This encoding choice helps the malware evade web filtering systems that might otherwise flag unusual character patterns in API traffic.

How UNC2814 Got In — Initial Access and Post-Compromise Activity

Initial Foothold and Privilege Escalation

The exact initial access vector for this specific GRIDTIDE campaign hasn't been definitively confirmed. However, UNC2814 has a documented history of exploiting and compromising web servers and edge systems to gain entry — and that pattern likely applies here.

Detection came through Mandiant's use of Google Security Operations (SecOps) for continuous monitoring across their global customer base. An automated detection flagged suspicious activity on a CentOS server. What analysts found was a suspicious process tree: a binary at /var/tmp/xapt — named to masquerade as a legitimate Debian-based legacy tool — had initiated a shell with root privileges and immediately executed sh -c id 2>&1 to confirm successful privilege escalation.

That single behavioral indicator — a binary from /var/tmp/ spawning a root shell — was enough to trigger the investigation.

Lateral Movement, Persistence, and VPN Tunneling

After gaining initial access, the attacker used a service account to move through the network using SSH. They took advantage of built-in system tools (known as living-off-the-land binaries) to gather information and increase their access rights.

Persistence was established through a systemd service created at /etc/systemd/system/xapt.service. This ensured GRIDTIDE would restart automatically and survive system reboots. The backdoor was initially launched with nohup ./xapt, allowing it to keep running even after the operator's session ended.

In addition to GRIDTIDE, UNC2814 also used SoftEther VPN Bridge to create an encrypted connection to outside systems. The VPN setup details revealed something noteworthy: UNC2814 had been using this specific infrastructure since July 2018—indicating that they have maintained long-term operational systems alongside their spying activities.

What Was Being Targeted — and Why

GRIDTIDE was dropped onto endpoints containing personally identifiable information (PII), including full names, phone numbers, dates of birth, places of birth, voter ID numbers, and national ID numbers.

GTIG’s assessment is clear: this targeting pattern matches telecom-focused cyber espionage, which is mainly used to identify, track, and monitor people of interest. In the past, China-linked attacks against telecom companies have led to the theft of call records, unencrypted text messages, and the misuse of lawful intercept systems—the same tools governments use for authorized surveillance.

While GTIG did not directly observe data exfiltration during this campaign, the access UNC2814 achieved would plausibly enable clandestine surveillance of dissidents, activists, and traditional intelligence targets.

Google and Mandiant's Coordinated Disruption of UNC2814

Terminating the Attacker's Infrastructure

When GTIG moved, they moved comprehensively. The disruption actions included:

  • Terminating all Google Cloud Projects controlled by UNC2814, severing their persistent access to every environment compromised by the GRIDTIDE backdoor
  • Identifying and disabling all known UNC2814 infrastructure, including sinkholing both current and historical domains used by the group since at least 2023
  • Disabling attacker accounts and revoking all access to the Google Sheets API calls the actor used for C2
  • Issuing formal victim notifications to all 53 confirmed affected organizations and providing active support to those with verified compromises
  • Releasing a public set of Indicators of Compromise (IOCs) — including IP addresses, domains, file hashes, and YARA rules — linked to UNC2814 infrastructure active since 2023

Detection Capabilities for Defenders

For organizations running Google Security Operations (SecOps), detections for UNC2814 activity were refined and implemented under the Mandiant Hunting rule pack. Key rule names include:

  • Suspicious Shell Execution From Var Directory
  • Suspicious Sensitive File Access Via SSH
  • Potential Google Sheets API Data Exfiltration
  • Config File Staging in Sensitive Directories

Hunting queries have also been made available to help organizations search their own environments — including a query that specifically identifies non-browser processes making HTTPS requests to sheets.googleapis.com with batchClearbatchUpdate, or valueRenderOption=FORMULA parameters. That combination is a reliable fingerprint for GRIDTIDE-style C2 communication.

The Scope of What Was Dismantled

The disruption didn't just cut a wire — it collapsed an operational network that took, by GTIG's own assessment, a decade of concentrated effort to build. UNC2814's global footprint represented years of carefully cultivated access across governments and telecom providers on four continents. Re-establishing that kind of reach won't be quick or easy. GTIG expects the group to try — but the infrastructure they relied on is gone.

Key Technical Artifacts and Indicators of Compromise

Host-Based Artifacts

 

Artifact

 

 

Description

 

 

xapt

 

 

GRIDTIDE backdoor binary

 

 

xapt.cfg

 

 

Decryption key file for Google Drive configuration

 

 

xapt.service

 

 

Malicious systemd service for persistence

 

 

hamcore.se2

 

 

SoftEtherVPN Bridge component

 

 

pmp / pmp.cfg

 

 

GRIDTIDE variant and associated key file

 

Notable Network Indicators

GRIDTIDE communicates exclusively with sheets.googleapis.com over port 443. The specific API endpoints it hits are:

  • /v4/spreadsheets//values/A1?valueRenderOption=FORMULA — polling for commands
  • /v4/spreadsheets//values:batchClear — clearing the sheet on initialization
  • /v4/spreadsheets//values:batchUpdate — exfiltrating data and reporting status

The User-Agent string Google-HTTP-Java-Client/1.42.3 (gzip) is a reliable indicator in network logs, as it's the string GRIDTIDE uses to identify itself when making API calls.

A full collection of IOCs — including over 150 C2 domains and multiple attacker IP addresses — is publicly available through Google Threat Intelligence on VirusTotal.