Google disrupts Сhina-linked cyberespionage campaign spanning dozens of countries

Google has disrupted a long-running China-linked cyberespionage campaign targeting telecommunications providers and government organizations across dozens of countries.

The campaign, attributed by Google Threat Intelligence to a group tracked as UNC2814, affected at least 53 organizations across 42 countries, the company said in a report on Wednesday. The group has been active since at least 2017 and has a history of targeting international governments and telcos across Africa, Asia and the Americas.

“This prolific scope is likely the result of a decade of concentrated effort,” Google said.

The attackers used a newly identified backdoor called Gridtide and abused legitimate Google Sheets functionality to conceal command-and-control communications, making malicious activity appear as normal cloud traffic.

“The actor could easily make use of other cloud-based spreadsheet platforms in the same manner,” researchers said.

The initial entry point in this campaign remains unclear, but UNC2814 has historically gained initial access by compromising web servers and edge devices.

Google said it did not directly observe data being stolen during the operation it disrupted, but in at least one case the Gridtide malware was installed on systems containing sensitive personal information, including names, phone numbers, dates and places of birth, and national or voter identification numbers.

Researchers said such targeting was consistent with broader cyberespionage operations focused on telecommunications networks, which can allow intruders to identify and track individuals or monitor communications. Similar campaigns in the past have enabled access to call data records, SMS messages and lawful interception systems used by telecom operators, according to the report.

“The access UNC2814 achieved during this campaign would likely enable clandestine efforts to similarly surveil targets,” they added.

Google said it had seen no overlap between UNC2814 and the Chinese-linked espionage group known as Salt Typhoon, describing them as distinct operations that target different victims using different methods.

Google Threat Intelligence Group, Mandiant and other partners identified and disabled all known UNC2814 infrastructure, though they expect the group “will work hard to re-establish their global footprint.”

Beijing has not publicly commented on Google’s findings. China has repeatedly denied conducting cyberespionage operations abroad.

Earlier this month, Singapore authorities said another suspected China-linked group had carried out a targeted campaign against the country’s four main telecommunications operators. The group, tracked as UNC3886, gained unauthorized access to parts of telecom networks and, in one case, reached limited portions of critical systems.