Full Report
Google on Wednesday disclosed that it worked with industry partners to disrupt the infrastructure of a suspected China-nexus cyber espionage group tracked as UNC2814 that breached at least 53 organizations across 42 countries. "This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas,"
Analysis Summary
# Threat Actor: UNC2814
## Attribution & Identity
**Identification:** Suspected China-nexus cyber espionage group.
**Aliases/Associations:** Tracked by Google Threat Intelligence Group (GTIG) and Mandiant since 2017.
## Activity Summary
UNC2814 is described as a "prolific, elusive actor" associated with one of the "most far-reaching, impactful campaigns" encountered in recent years, dubbed the **GRIDTIDE Campaign**. This campaign breached at least 53 organizations across 42 countries and is suspected to be linked to infections in over 20 additional nations. The actor has a long history of targeting international governments and global telecommunications organizations. Google and industry partners recently disrupted the actor's infrastructure.
## Tactics, Techniques & Procedures
- **Initial Access:** History of exploiting and compromising web servers and edge systems. Initial access vector remains under investigation for the latest campaign.
- **Command and Control (C2):** Abusing the Google Sheets API via a novel backdoor named **GRIDTIDE** to disguise C2 traffic and facilitate data transfer.
- **Lateral Movement:** Leveraging a service account to move laterally within the environment via SSH.
- **Reconnaissance/Privilege Escalation/Persistence:** Utilizing living-off-the-land (LotL) binaries.
- **Persistence:** Achieved by creating a service for the malware (`/etc/systemd/system/xapt.service`), spawning a new instance from `/usr/sbin/xapt` upon enabling.
- **Exfiltration/Communication:** Employing SoftEther VPN Bridge to establish outbound encrypted connections to an external IP address.
- *Note: Abuse of SoftEther VPN has been linked to multiple Chinese hacking groups.*
## Targeting
- **Sectors:** International governments and global telecommunications organizations.
- **Geography:** Africa, Asia, the Americas, and evidence in 42 countries (with additional infections in 20+ nations).
- **Victims:** None explicitly named, but the focus is on governments and telecom organizations. The actor has been observed dropping malware on endpoints containing Personally Identifiable Information (PII).
## Tools & Infrastructure
- **Malware:** **GRIDTIDE** (A C-based malware/novel backdoor).
- **Infrastructure:**
- C2 mechanism utilizes Google Sheets API cells for bidirectional communication (e.g., Cell A1 for status response, A2-An for data transfer, V1 for system data).
- Abuse of SoftEther VPN Bridge for outbound encrypted connections.
- Infrastructure included Google Cloud Projects and attacker-controlled accounts, which Google terminated or disabled.
## Implications
UNC2814 demonstrates a nation-state level capability for long-term espionage, embedding itself deeply within victim networks. The use of legitimate SaaS APIs (Google Sheets) for C2 exemplifies advanced evasion techniques aimed at blending malicious traffic with benign activity. The focus on network edge devices as potential entry points suggests ongoing reliance on perimeter exploitation. While PII was present on compromised endpoints, active data exfiltration was *not* observed during the analyzed campaign period, aligning the activity primarily with cyber espionage/monitoring objectives.
## Mitigations
- **Infrastructure Disruption:** The successful disruption by Google included terminating Cloud Projects, disabling known C2 infrastructure, and blocking API calls leveraged by the actor.
- **Perimeter Security:** Increased scrutiny and hardening of web servers and edge systems, as these appear to be common initial access points.
- **Endpoint Monitoring:** Detecting lateral movement techniques utilizing service accounts over SSH.
- **Anomaly Detection:** Monitoring for LotL binary usage for reconnaissance, escalation, and persistence setup.
- **Application Monitoring:** Implementing controls to monitor unusual activity within specific proprietary communication channels, such as the specific cell-based polling mechanism within Google Sheets API abuse.