Thursday April 02, 2026

Advisory ID: NCC-CSIRT-2026-012

Summary: 

The Nigerian Communications Commission Computer Security Incident Response Team (NCC-CSIRT) is issuing this advisory to alert Telecommunications Operators, Internet Service Providers, and critical information infrastructure stakeholders about a global cyber espionage campaign involving the GRIDTIDE backdoor and the advanced threat actor UNC2814.
The campaign primarily targets telecommunications providers and government organizations worldwide and has affected dozens of organizations across multiple countries. The threat actor uses stealth malware, cloud services, and persistent backdoors to gain long-term access to telecom networks and sensitive communications data.

Damage: Critical

Probability: High

Product(s)/Platform(s): 

The campaign does not target a specific vendor product but rather infrastructure commonly used in telecommunications environments, including:

  • Linux Servers and Web Servers
  • Edge Network Devices
  • Telecom Core Network Systems
  • Subscriber Databases
  • Call Data Record (CDR) Systems
  • Network Management Systems
  • Cloud Infrastructure and SaaS Platforms

Indicators of Compromise (IOCs): 

  • Suspicious connections to Google Sheets API or unusual SaaS API traffic
  • Unknown system services (e.g., xapt.service)
  • Unauthorized SSH lateral movement
  • Use of SoftEther VPN connections
  • Unknown service accounts
  • Persistent malware in /usr/sbin directories
  • Unusual outbound encrypted connections
  • Cloud API traffic from servers that normally do not use cloud services

Description: 

The UNC2814 campaign is a long-running cyber espionage operation active since at least 2017, targeting telecommunications and government networks globally. The attackers deploy the GRIDTIDE backdoor, a C-based malware that uses legitimate cloud services, particularly Google Sheets API, as a command-and-control (C2) channel to disguise malicious traffic as normal cloud activity.
Instead of connecting to traditional malicious servers, the malware communicates with attacker-controlled spreadsheets, where commands are stored in spreadsheet cells and executed on compromised systems. The malware can execute shell commands, upload and download files, and collect system information from infected hosts.
Attackers typically gain initial access by exploiting vulnerable web servers or edge network devices. After gaining access, they establish persistence by installing the malware as a system service and move laterally through the network using service accounts and SSH connections. Encrypted tunnels such as SoftEther VPN are used to maintain covert communication and potentially exfiltrate sensitive data such as personally identifiable information, call logs, and communications metadata.
The campaign specifically targets telecommunications networks because access to telecom infrastructure can enable surveillance, monitoring of communications, and tracking of individuals through call data records and messaging metadata.

Impacts: 

  • Gain persistent access to telecom networks
  • Monitor communications and subscriber data
  • Access call data records and SMS metadata
  • Conduct surveillance on targeted individuals
  • Move laterally across telecom infrastructure
  • Maintain long-term undetected access
  • Compromise government communications
  • Access lawful interception systems

Threat Types: 

  • Cyber Espionage
  • Advanced Persistent Threat (APT)
  • Backdoor Malware
  • Command and Control (C2)
  • Data Exfiltration
  • Network Intrusion
  • Persistence / Unauthorized Access

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

  • Patch and secure all public-facing web servers and edge devices.
  • Strictly monitor outbound connections to cloud services such as Google Sheets, Google Drive, and other SaaS platforms.
  • Implement network segmentation within telecom infrastructure.
  • Monitor for unauthorized system services and persistence mechanisms.
  • Audit service accounts and SSH access logs.
  • Deploy Endpoint Detection and Response (EDR) solutions on critical servers.
  • Implement multi-factor authentication for administrative accounts.
  • Monitor VPN usage and block unauthorized VPN tools such as SoftEther.
  • Conduct threat hunting for advanced persistent threats.
  • Review access to subscriber databases and call data record systems.

References:

Advisory ID: NCC-CSIRT-2026-013

Summary: 

COLDEYE backdoor is a sophisticated kernel-level malware used in targeted cyber-espionage campaigns. This malware is known to provide persistent root-level access to compromised systems and is associated with advanced threat actors such as UNC2814.
COLDEYE has been observed in telecom infrastructure, government systems, and cloud-hosted services, where it enables attackers to manipulate critical data, exfiltrate information, and maintain long-term stealth access.

Damage: Critical

Probability: High

Product(s): 

Linux-based enterprise servers

Version(s): 

No specific version; affects general Linux distros

Platform(s):

Linux (Ubuntu, Debian, CentOS, RHEL); virtualized cloud instances

Indicators of Compromise (IOCs): 

Organizations are advised to cross-check the following IoCs with their SIEM and endpoint monitoring tools:

  • Unexpected kernel modules loaded on Linux servers
  • Unauthorized system services or startup scripts
  • Outbound connections to unusual cloud storage APIs from critical servers
  • Unauthorized file changes in system directories (/etc, /usr/bin)
  • Anomalous processes running with root privileges

Description: 

COLDEYE is a highly sophisticated kernel-level backdoor that primarily targets Linux servers in telecom networks, government systems, and cloud-hosted platforms. It achieves persistent root-level access by installing as a kernel module or system-level rootkit, enabling it to remain active after system reboots and evade traditional endpoint detection mechanisms. The malware can escalate privileges on misconfigured or vulnerable servers, granting attackers unrestricted access to critical system files, administrative credentials, and network services.
COLDEYE communicates with remote command-and-control infrastructure, often leveraging legitimate cloud services such as Google Sheets via the GRIDTIDE backdoor framework. This allows attackers to execute scripts, upload or download files, and perform detailed system reconnaissance while blending with normal network traffic. The malware facilitates the exfiltration of sensitive information, including subscriber databases, call detail records, SMS data, and cloud service tokens. It uses stealth techniques, such as kernel-level hooks and process masking, to avoid detection by host-based intrusion detection systems.
After establishing a foothold, COLDEYE may move laterally within networks, exploiting SSH, VPN, or internal service credentials to compromise additional systems. Its operational impact is significant, potentially exposing subscriber privacy, critical intelligence, and core telecom operations, including lawful interception systems. By maintaining long-term access, attackers can monitor and manipulate sensitive communications over extended periods. Deployment typically occurs following an initial compromise through vulnerable services, phishing targeting administrative accounts, or other advanced persistent threat tools, forming part of a larger espionage campaign.

Impacts: 

  • Compromise of Sensitive Data
  • Unauthorized System Control
  • Lateral Network Compromise
  • Operational Disruption
  • Long-Term Surveillance
  • Reputational and Regulatory Impact
  • Financial Consequences

Threat Types: 

  • Advanced Persistent Threat (APT)
  • Kernel-Level Malware / Rootkit
  • Data Exfiltration / Espionage
  • Unauthorized Access / Privilege Escalation
  • Command-and-Control (C2) Abuse
  • Lateral Movement
  • Telecom / Infrastructure Disruption

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

  • Isolate compromised systems from the network
  • Conduct full system integrity checks and Memory Forensics
  • Monitor unusual outbound connections to cloud services
  • Apply the latest OS and kernel security updates and disable unused services and accounts
  • Restrict administrative and root access
  • Implement network and host-based anomaly detection
  • Monitor for abnormal process execution and kernel module loading
  • Review system logs for unauthorized access events
  • Implement UEFI Secure Boot where possible to prevent the loading of unsigned malicious kernel modules

References:

Advisory ID: NCC-CSIRT-2026-011

Summary: 

Apple has released security updates to fix a vulnerability in WebKit, the browser engine that powers Safari and all browsers on iOS devices. The vulnerability could allow a malicious website to bypass browser security controls and access sensitive data from other websites open in the same browser session.

The vulnerability is tracked as CVE-2026-20643 and has been addressed through Apple’s new Background Security Improvement update mechanism, which allows Apple to deploy urgent security fixes without requiring full operating system updates.

Damage: High

Probability: Medium

Product(s): 

  • iPhone (iOS)
  • iPad (iPadOS)
  • Mac computers (macOS)
  • Apple Safari browser
  • All browsers on iOS and iPadOS that use WebKit

Version(s): 

  • iPhone (iOS) Earlier than iOS 17.4
  • iPad (iPadOS) Earlier than iPadOS 17.4
  • Mac computers (macOS), earlier than macOS Sonoma 14.4
  • Apple Safari browser, earlier than Safari 17.4
  • All browsers on iOS and iPadOS that use WebKit Versions before the March 2026 security update

Platform(s): 

  • iOS
  • iPadOS
  • macOS
  • Safari browser
  • WebKit browser engine

Indicators of Compromise (IOCs): 

  • Unexpected account logins or session hijacking.
  • Suspicious browser redirects.
  • Unauthorized access to web applications.
  • Abnormal browser activity after visiting unknown websites.
  • Unusual authentication alerts from online services.

Description: 

The vulnerability exists in Apple’s WebKit browser engine, specifically involving a cross-origin security issue in the browser navigation component. This flaw could allow malicious web content to bypass the Same-Origin Policy, a fundamental browser security control that prevents one website from accessing data belonging to another.

If exploited, a malicious website could potentially access sensitive information from other websites open in the same browser session, including login data, browsing information, session tokens, or other private content. The vulnerability could be triggered simply by visiting a specially crafted malicious website.

The vulnerability affects Apple devices because all browsers on iOS and iPadOS must use WebKit, meaning the issue impacts Safari as well as third-party browsers such as Chrome or Firefox running on iPhones and iPads.

Apple has addressed the issue by improving input validation and access restrictions in the WebKit engine and has recommended that all users update their devices immediately to receive the security fix.

Impacts: 

  • Access sensitive user data from other websites.
  • Steal authentication session tokens.
  • Access login information or browsing history.
  • Conduct account hijacking attacks.
  • Perform targeted surveillance or espionage attacks.
  • Deploy further malware through browser exploitation.

Threat Types: 

  • Information Disclosure
  • Cross-Site Data Leakage
  • Session Hijacking
  • Account Takeover
  • Privacy Breach

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

  • Update Apple devices immediately to the latest versions of iOS, iPadOS, and macOS.
  • Enable automatic updates on Apple devices.
  • Avoid visiting untrusted websites or clicking suspicious links.
  • Use multi-factor authentication (MFA) for online accounts.
  • Clear browser sessions after accessing sensitive platforms such as banking or corporate systems.
  •  Organizations should implement mobile device management (MDM) policies to enforce device updates.
  • Monitor for suspicious login activity across enterprise systems.

References:

Advisory ID: NCC-CSIRT-2026-010

Summary: 

The OSGF alerted Nigerian authorities about a cybercrime case in the UAE involving a criminal group that hijacked mobile signals and conducted SMS-based banking fraud. The group used specialized equipment to create fake mobile networks, intercept SMS messages, and send fraudulent messages impersonating banks to steal financial information. This technique poses a potential risk to Nigeria’s telecom infrastructure and financial systems due to the country’s large subscriber base and reliance on SMS banking.

Damage: Critical

Probability: High

Product(s): 

  • GSM and LTE mobile networks
  • SMS messaging infrastructure
  • Mobile banking systems using SMS authentication
  • Telecommunications spectrum environments
  • Mobile subscribers within proximity of a rogue base station

Version(s): 

All types and versions

Platform(s): 

Telecommunication and Mobile Ecosystems

Description: 

The attack technique uses rogue cellular infrastructure designed to mimic legitimate mobile networks.

The criminals deploy signal-jamming equipment to temporarily disrupt legitimate cellular signals within a targeted area. Once legitimate connectivity is weakened, the attackers activate a rogue base station (fake cellular tower) that broadcasts a stronger signal, causing nearby mobile devices to automatically connect to the attacker-controlled network.

After devices connect to the rogue network, attackers can:

  • Send spoofed SMS messages appearing to originate from legitimate financial institutions.
  • Intercept SMS communications, including one-time passwords (OTPs).
  • Conduct large-scale Smishing campaigns targeting banking customers.

This technique is particularly dangerous because it operates at the network layer of the telecommunications network, allowing attackers to bypass traditional Internet security controls.

Threat Types: 

  • Rogue Cellular Network Attacks / IMSI Catcher Threats
  • Mobile Signal Hijacking / Jamming
  • Smishing (SMS Phishing)
  • Financial Cybercrime / Banking Fraud
  • Telecommunications Infrastructure Exploitation

Impacts: 

  • Unauthorized access to bank accounts through stolen credentials or OTP interception.
  • Large-scale financial fraud targeting mobile banking users.
  • Manipulation of SMS communications used for transaction authentication.
  • Loss of customer trust in telecom and banking systems.
  • Possible use of rogue networks for surveillance or data interception.

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

  • Deploy rogue base station detection systems across network infrastructure.
  • Strengthen radio spectrum monitoring to detect abnormal signal activity.
  • Implement mechanisms to detect and block unauthorized BTS transmissions.
  • Collaborate with security agencies to track illegal telecom equipment.
  • Enhance monitoring of SMS gateways and messaging platforms.

Advisory ID: NCC-CSIRT-2026-009

Summary: 

Security researchers from the Google Threat Intelligence Group (GTIG) disrupted a global cyber-espionage campaign attributed to the threat actor UNC2814, which compromised 53 organizations across 42 countries in Africa, Asia, and the Americas. The attackers deployed a previously unknown malware backdoor, GRIDTIDE, which leveraged the Google Sheets API as a covert command-and-control channel, disguising malicious communications as legitimate cloud traffic to evade detection. The campaign primarily targeted telecommunications operators and government entities, indicating an objective of long-term surveillance and intelligence gathering rather than financial gain.

Damage: Critical

Probability: High

Product(s): 

  • Enterprise Linux systems and servers
  • Telecommunications infrastructure and enterprise networks
  • Cloud-based SaaS platforms abused for command-and-control (C2), particularly Google Sheets API

Version(s): 

All vulnerable Linux systems and servers, Telecommunications infrastructure and enterprise networks, and Cloud-based SaaS platforms abused for command-and-control (C2).

Platform(s): 

  • Linux/Unix systems
  • Enterprise IT networks and telecommunications infrastructure
  • Cloud SaaS environments used for covert C2 communications

Description: 

The UNC2814 campaign relied on a custom backdoor named GRIDTIDE, written in C and capable of executing arbitrary shell commands, uploading and downloading files, and maintaining persistent remote access.

Unlike traditional malware that communicates with dedicated C2 servers, GRIDTIDE used Google Sheets as a communication channel. The malware periodically accessed attacker-controlled spreadsheets through the Google Sheets API to retrieve commands and upload collected data.

The communication model used specific spreadsheet cells to exchange instructions and results. For example, commands could be stored in a designated cell, while command outputs or collected data were written back into other cells within the same spreadsheet. This approach allowed malicious traffic to blend into normal HTTPS connections to legitimate Google services.

Investigators believe the threat actor often gains initial access by compromising web servers or edge network systems, followed by lateral movement using SSH and legitimate administrative tools.

To maintain persistence on compromised systems, the attackers created system services (e.g., /etc/systemd/system/xapt.service) and executed malware binaries from directories such as /usr/sbin/xapt.

Google and its partners disrupted the campaign by terminating attacker-controlled Google Cloud projects, disabling malicious infrastructure, revoking Google Sheets API access, and notifying affected organizations.

Impacts: 

  • Attackers may gain visibility into call records, SMS metadata, or lawful intercept systems.
  • Compromised systems may contain information such as names, phone numbers, dates of birth, and national identification data.
  • Attackers can maintain long-term access for intelligence gathering or further compromise.
  • Use of legitimate cloud APIs makes detection significantly harder

Threat Types: 

  • Cyber-espionage: Targeted surveillance against government and telecom organizations.
  • Advanced Persistent Threat (APT): Long-term infiltration campaigns designed to maintain covert access.
  • Cloud service abuse: Leveraging legitimate SaaS platforms such as Google Sheets for C2 communications.
  • Living-off-the-land techniques: Use of legitimate system tools and services to evade detection.

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

  • Inspect systems for unauthorized services or binaries linked to GRIDTIDE.
  • Block suspicious outbound connections to attacker-controlled infrastructure.
  • Isolate affected systems and begin forensic investigation.
  • Patch vulnerable web servers and network edge devices.
  • Reset compromised credentials and enforce multi-factor authentication (MFA).
  • Deploy updated endpoint detection tools capable of identifying APT behaviors.
  • Implement network segmentation to protect telecom core infrastructure.
  • Conduct proactive threat hunting for indicators associated with UNC2814 activity.
  • Strengthen monitoring of cloud API usage across enterprise networks.
  • Audit network traffic for suspicious connections to Google Sheets APIs or unusual SaaS usage.
  • Monitor Linux servers for unauthorized systemd services and binaries such as /usr/sbin/xapt.
  • Strengthen monitoring of telecom infrastructure and cloud service usage to detect covert command-and-control channels.

References:

  1. NCC-CSIRT Cybersecurity Advisory on LockBit Strikes with New 5.0 Version Targeting Windows, Linux, and ESXi Systems
  2. ngCERT SECURITY ADVISORY ON OPEN-TELNET VULNERABILITY AFFECTING NETWORK DEVICES
  3. ngCERT SECURITY ADVISORY ON ACCESSIBLE ADVANCED MESSAGE QUEUING PROTOCOL (AMQP) SERVICES AFFECTING CRITICAL NATIONAL INFRASTRUCTURES
  4. ngCERT SECURITY ADVISORY ON CRITICAL INFRASTRUCTURE COMPROMISE BY MULTIPLE VARIANTS OF REMOTE ACCESS TROJAN

Page 1 of 37