A prolific hacking and cyber-espionage campaign which targeted organizations around the world for almost a decade has been disrupted by Google and its international partners.
In a blog post, Google Threat Intelligence Group (GTIG) detailed the malicious activity by UNC2814, a cyber-espionage operation with suspected links to China which has been active since 2017. The group described by the tech giant as both “prolific” and “elusive”.
UNC2814 has waged cyber campaigns against governments and global telecommunications organizations across Africa, Asia and the Americas.
An investigation by Google confirmed that UNC2814 activity impacted at least 53 victims across 42 nations. Suspected activity by the group was observed in at least 20 more countries.
The initial access method of has not been identified, but Google noted how similar campaigns have gained entry via compromised web servers and edge systems.
GridTide: A Novel Backdoor Hiding in Google Sheets
Key to UNC2814 campaigns, was a novel backdoor, which Google and Mandiant dubbed GridTide, which has the ability to execute arbitrary shell commands, upload and download files.
Unusually, GridTide leveraged Google Sheets as a command-and-control (C2) platform. The attackers didn’t use the spreadsheet as a document, but as communication channel to transfer of raw data and shell commands.
This enabled the attackers to disguise the malicious traffic within legitimate cloud API requests, keeping it hidden from being flagged by standard network detection tools.
The action taken by Google terminated all Google Cloud Projects controlled by the attacker, effectively severing their persistent access to environments. The disruption also saw attacker accounts disabled and access to Google Sheets API calls exploited for C2 revoked.
According to Google, UNC2814 likely used the backdoor access provided by GridTide to identify, track and monitor persons of interest at the targeted telecommunications and government organizations.
While analysis of the campaign did not directly detect exfiltration of sensitive data, researchers note that similar Chinese-linked cyber-espionage campaigns have resulted in the theft of call data records and unencrypted SMS messages, often with the goal of enabling surveillance against dissidents and activists, as well as targets for traditional state-based cyber espionage.
Initially, the campaigns looks similar to those conducted by a group Google tracks as UNC2286, commonly known as Salt Typhoon. However, Google has made a point to highlight how “UNC2814 has no observed overlaps with activity publicly reported as Salt Typhoon.”
Nonetheless, Google warned that the global scope of UNC2814 activity “underscores the serious threat facing telecommunications and government sectors.”
“Prolific intrusions of this scale are generally the result of years of focused effort and will not be easily re-established. We expect that UNC2814 will work hard to re-establish their global footprint,” GITG concluded.
Google said it has notified victims of UNC2814 about the activity and has offered to support to organizations which were compromised by the threat group.
