Google Disrupts Chinese Hackers Targeting 53 Telecom and Government Entities

Home » News
Yash Shield
News
Reading time icon 2 min. read

Calendar icon Published on

Google Threat Intelligence disrupted a Chinese state-linked hacking group called UNC2814. The group breached 53 telecom providers and government bodies across 42 countries. This cyber espionage ran for nearly a decade until coordinated action on February 18, 2026.

Mandiant and Google Cloud uncovered the operation. They severed the hackers’ access and shared threat details. Victims span Africa, Asia, Europe, and the Americas. The campaign focused on sensitive communication networks.

The GRIDTIDE Backdoor

UNC2814 used a new backdoor named GRIDTIDE. It hides commands in Google Sheets cells, blending with normal cloud traffic. This method evades typical network defenses.

Analysts spotted it on a customer’s CentOS server. A binary called xapt mimicked a system tool and ran root commands. The malware registers as a systemd service to persist.

It uses AES-128 encryption for Google Drive configs. Commands flow through cell A1. Results go back in Base64 encoding. A SoftEther VPN adds a backup channel since 2018.

GRIDTIDE infection lifecycle (Source – Google Cloud)

Attack Techniques

Hackers entered via internet-facing web servers and edge devices. They used built-in system tools for lateral movement. No new malware dropped to avoid alerts.

Targets held personal data like names, phone numbers, and voter records. This matches Chinese intelligence goals. The group shows no link to Salt Typhoon.

Google Cloud Blog states: “We disrupted GRIDTIDE, a global espionage campaign by UNC2814.”

GRIDTIDE execution lifecycle (Source – Google Cloud)

Victim Scope and Impact

CategoryCountRegions Affected
Confirmed Victims5342 countries (4 continents)
Suspected Infections20+Africa, Asia, Americas
Primary TargetsTelecom, GovernmentCommunication infrastructure

Detection Indicators

Monitor these signs of compromise.

  • Outbound HTTPS to Google Sheets API with batchClear or batchUpdate.
  • Systemd services in /etc/systemd/system/xapt.service.
  • Binaries in /var/tmp/xapt running nohup.
  • Non-browser processes using valueRenderOption=FORMULA.
  • SoftEther VPN Bridge on Linux servers.

Response Steps

  • Apply GTIG YARA rules for GRIDTIDE detection.
  • Scan logs for listed IOCs from Google.
  • Check web servers and edge devices for breaches.
  • Block unusual Google Sheets API calls.
  • Hunt for living-off-the-land binaries.

Mandiant noted suspicious xapt behavior first. Google tracked UNC2814 since 2017.

FAQ

What is UNC2814?

Chinese-linked espionage group behind GRIDTIDE campaign targeting telecoms.

How does GRIDTIDE work?

Backdoor uses Google Sheets for C2, AES-encrypted, with Base64 commands.

How many victims?

53 confirmed across 42 countries, plus 20+ suspected.

When did Google disrupt it?

February 18, 2026, via GTIG and Mandiant action.

What data was at risk?

PII like names, phones, IDs, voter records.

How to detect it?

Monitor Sheets API calls, xapt binaries, SoftEther VPN.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages