Google Disrupts ‘Prolific, Elusive’ China-Linked Actor

Google Threat Intelligence Group and Mandiant researchers on Wednesday announced that they had disrupted the infrastructure of a suspected PRC-nexus espionage group, categorized as UNC2814 or Gallium, which is known for targeting global telecom providers and government organizations.

As part of its disruption efforts, Google said that it shut down all attacker-controlled Google Cloud Projects linked to the attackers in order to end their persistent access to environments that had been compromised by the group’s GRIDTIDE backdoor. The tech company also disabled the group’s known infrastructure, including domains used by the actor, and took down accounts and access to Google Sheets API calls that were used for command and control (C2) purposes. 

“This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas and had confirmed intrusions in 42 countries when the disruption was executed,” according to Google in its analysis. “The attacker was using API calls to communicate with SaaS apps as command-and-control (C2) infrastructure to disguise their malicious traffic as benign, a common tactic used by threat actors when attempting to improve the stealth of their intrusions.”

Google said it has found 53 victims that have been impacted by the group. Google has tracked the group since 2017.

“It is important to highlight that UNC2814 has no observed overlaps with activity publicly reported as ‘Salt Typhoon,’ and targets different victims globally using distinct tactics, techniques, and procedures (TTPs),” according to Google. “Although the specific initial access vector for this campaign has not been determined, UNC2814 has a history of gaining entry by exploiting and compromising web servers and edge systems.”

Google also released a set of Indicators of Compromise (IoCs) linked to UNC2814 infrastructure that have been active since at least 2023. The group has used various TTPs, including using living-off-the-land binaries to perform reconnaissance and set up persistence; using a service account to move laterally via SSH, and executing the novel C-based backdoor (GRIDTIDE) with the capability to collect sensitive data from endpoints. That data includes full names, phone numbers,dates and places of birth, voter ID numbers and national ID numbers. 

“The backdoor leverages Google Sheets as a high-availability C2 platform, treating the spreadsheet not as a document, but as a communication channel to facilitate the transfer of raw data and shell commands,” according to researchers. “GRIDTIDE hides its malicious traffic within legitimate cloud API requests, evading standard network detection.”

Google said that it expects UNC2814 to work hard to build up their global footprint again – however, “prolific intrusions of this scale are generally the result of years of focused effort and will not be easily re-established.”

“The global scope of UNC2814’s activity, evidenced by confirmed or suspected operations in over 70 countries, underscores the serious threat facing telecommunications and government sectors, and the capacity for these intrusions to evade detection by defenders,” according to Google.