TL;DR: Google disclosed on February 25 that it worked with Mandiant to dismantle infrastructure used by UNC2814, a suspected Chinese government-linked hacking group that breached 53 organizations across 42 countries. The attackers used a custom backdoor called GRIDTIDE that hid its command-and-control traffic inside Google Sheets, making hostile communications look like normal spreadsheet activity. Targets included governments and telecoms across Africa, Asia, and the Americas. Google killed their cloud projects, revoked API access, and notified victims. No data theft was observed, but the hackers had access to systems containing voter IDs, national identification numbers, and personal data across four continents.
Hiding Espionage in Spreadsheets
UNC2814 didn't use some obscure dark web server for command-and-control. They used Google Sheets [1].
The group's custom malware, dubbed GRIDTIDE by researchers, communicated with operators through spreadsheet cells. Cell A1 polled for commands and returned status updates. Cells A2 through An transferred stolen data and command output. Cell V1 stored victim system information [1].
From the outside, it looked like normal SaaS activity. Network defenders watching for suspicious traffic would see requests to Google's API, not much different from any other cloud application.
The binary lived at /var/tmp/xapt and ran with root privileges, mimicking legitimate Debian/Ubuntu system tools [2]. Persistence came through a systemd service file at /etc/systemd/system/xapt.service. Standard malware hiding techniques, but the Google Sheets trick made detection significantly harder.
53 Confirmed Breaches, 70+ Countries Touched
Google's Threat Intelligence Group has tracked UNC2814 since 2017 [1]. As of February 18, the investigation identified:
- 53 confirmed victim organizations across 42 countries
- 20+ additional countries with suspected infections
- Four continents: Africa, Asia, the Americas, and beyond
- Nearly a decade of sustained operations
Google called it one of "the most far-reaching, impactful campaigns" in recent years [1]. That's a high bar when you're competing with Salt Typhoon's global telecom breach.
Speaking of which: UNC2814 is not the same group as Salt Typhoon, though both are linked to Chinese state interests [2]. Different operators, different infrastructure, same general playbook: burrowing into telecoms and governments for long-term access.
Governments and Telecoms: The Usual Targets
UNC2814 focused on two primary sectors:
- Telecommunications providers: Access to call records, network infrastructure, and subscriber data
- Government agencies: Political intelligence, diplomatic communications, citizen databases
The attackers also targeted individuals: activists and others of surveillance interest [2]. This isn't just infrastructure reconnaissance. It's human targeting.
What data did they access? Google found evidence that compromised endpoints contained full names, phone numbers, dates and places of birth, voter ID numbers, and national identification numbers [2]. The kind of information that powers targeted surveillance and influence operations.
The Strange Part: No Observed Data Theft
Here's where it gets interesting. Despite deploying GRIDTIDE on systems containing sensitive personal data, Google says no data exfiltration was observed during the campaign [1].
That doesn't mean nothing was stolen. It means Google couldn't confirm theft. There are three possibilities:
- They were caught before completing the mission. Disruption came at the reconnaissance phase.
- Data was exfiltrated through channels Google couldn't monitor. The SoftEther VPN bridges UNC2814 deployed create encrypted outbound connections [1]. Those tunnels could carry anything.
- The goal wasn't data. It was access. Sustained presence in critical infrastructure has intelligence value even without active theft. You're waiting for the moment you need it.
Given UNC2814's decade-long track record and the sensitivity of their targets, option three seems most likely. This is a sleeper operation, not a smash-and-grab.
What Google Did About It
On February 25, Google disclosed the disruption and listed specific actions taken [1][2]:
- Terminated all Google Cloud Projects controlled by the attackers
- Disabled known UNC2814 infrastructure and accounts
- Cut off access to Google Sheets API calls used for command-and-control
- Issued formal victim notifications to each targeted organization
- Provided active support to organizations with confirmed compromises
This is the most aggressive public disruption action Google has taken against a nation-state actor in recent memory. They didn't just publish a report. They burned the infrastructure to the ground.
How They Got In
Initial access came through exploitation of web servers and edge systems: the internet-facing infrastructure that organizations expose to the world [2]. Once inside, UNC2814's playbook was methodical:
- Lateral movement via SSH: Using service accounts to hop between systems
- Living-off-the-land techniques: Using built-in system tools for reconnaissance and privilege escalation
- GRIDTIDE deployment: Installing the backdoor for long-term persistence
- VPN tunnel establishment: SoftEther VPN Bridge for encrypted communication back to operators
Nothing exotic. Patient, methodical tradecraft that prioritizes stealth over speed.
The Bigger Picture
UNC2814 is part of a broader pattern. Chinese state-linked groups are systematically mapping and penetrating telecommunications and government infrastructure worldwide:
- Salt Typhoon: Breached AT&T, Verizon, and telecoms across 80+ countries, including FBI wiretap systems
- Volt Typhoon: Pre-positioned in US critical infrastructure for potential future disruption
- UNC2814: Nine years of sustained espionage across four continents
Each group operates independently with different techniques. But the strategic goal is the same: establish persistent access to infrastructure that matters. Telecoms carry communications. Governments hold secrets. Both are targets.
What You Can Do
UNC2814 targets organizations, not individuals directly. But the data they access (voter IDs, national identification numbers, phone records) belongs to real people. If you work for government or telecom organizations:
- Audit SSH access. UNC2814 used service accounts for lateral movement. Know who has SSH access to what.
- Monitor API traffic. Unusual patterns of Google Sheets API calls could indicate compromise. This applies to any SaaS service used as C2.
- Review edge systems. Internet-facing servers and VPNs are initial access vectors. Patch them. Monitor them. Assume they're being probed.
- Check for SoftEther. Unexpected VPN software is a red flag. Legitimate installations should be documented.
For everyone else: the telecoms and governments that hold your data are being systematically targeted by nation-state actors. Use end-to-end encrypted messaging. Assume your carrier network is compromised. Act accordingly.
The Bottom Line
UNC2814 ran a nearly decade-long espionage campaign across four continents by hiding command-and-control traffic in Google Sheets. They breached governments and telecoms in 53 organizations across 42 countries, with activity touching 70+ nations.
Google and Mandiant burned their infrastructure this week. But UNC2814 isn't the only group running this playbook. Salt Typhoon is still active. Volt Typhoon is still pre-positioned. The campaign against global communications infrastructure isn't stopping. It's accelerating.
Sources
- The Hacker News: "Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries" (February 25, 2026)
- The Register: "Google and friends disrupt suspected Beijing espionage op" (February 25, 2026)
- SC Media: "Google disrupts decade-long China-linked UNC2814 espionage campaign" (February 25, 2026)