NCC-CSIRT Cybersecurity Advisory on Global Server Espionage Campaign on Telecom and Government Entities

Advisory ID: NCC-CSIRT-2026-009

Summary: 

Security researchers from the Google Threat Intelligence Group (GTIG) disrupted a global cyber-espionage campaign attributed to the threat actor UNC2814, which compromised 53 organizations across 42 countries in Africa, Asia, and the Americas. The attackers deployed a previously unknown malware backdoor, GRIDTIDE, which leveraged the Google Sheets API as a covert command-and-control channel, disguising malicious communications as legitimate cloud traffic to evade detection. The campaign primarily targeted telecommunications operators and government entities, indicating an objective of long-term surveillance and intelligence gathering rather than financial gain.

Damage: Critical

Probability: High

Product(s): 

• Enterprise Linux systems and servers
• Telecommunications infrastructure and enterprise networks
• Cloud-based SaaS platforms abused for command-and-control (C2), particularly Google Sheets API

Version(s): 

All vulnerable Linux systems and servers, Telecommunications infrastructure and enterprise networks, and Cloud-based SaaS platforms abused for command-and-control (C2).

Platform(s): 

• Linux/Unix systems
• Enterprise IT networks and telecommunications infrastructure
• Cloud SaaS environments used for covert C2 communications

Description: 

The UNC2814 campaign relied on a custom backdoor named GRIDTIDE, written in C and capable of executing arbitrary shell commands, uploading and downloading files, and maintaining persistent remote access.

Unlike traditional malware that communicates with dedicated C2 servers, GRIDTIDE used Google Sheets as a communication channel. The malware periodically accessed attacker-controlled spreadsheets through the Google Sheets API to retrieve commands and upload collected data.

The communication model used specific spreadsheet cells to exchange instructions and results. For example, commands could be stored in a designated cell, while command outputs or collected data were written back into other cells within the same spreadsheet. This approach allowed malicious traffic to blend into normal HTTPS connections to legitimate Google services.

Investigators believe the threat actor often gains initial access by compromising web servers or edge network systems, followed by lateral movement using SSH and legitimate administrative tools.

To maintain persistence on compromised systems, the attackers created system services (e.g., /etc/systemd/system/xapt.service) and executed malware binaries from directories such as /usr/sbin/xapt.

Google and its partners disrupted the campaign by terminating attacker-controlled Google Cloud projects, disabling malicious infrastructure, revoking Google Sheets API access, and notifying affected organizations.

Impacts: 

• Attackers may gain visibility into call records, SMS metadata, or lawful intercept systems.
• Compromised systems may contain information such as names, phone numbers, dates of birth, and national identification data.
• Attackers can maintain long-term access for intelligence gathering or further compromise.
• Use of legitimate cloud APIs makes detection significantly harder

Threat Types: 

• Cyber-espionage: Targeted surveillance against government and telecom organizations.
• Advanced Persistent Threat (APT): Long-term infiltration campaigns designed to maintain covert access.
• Cloud service abuse: Leveraging legitimate SaaS platforms such as Google Sheets for C2 communications.
• Living-off-the-land techniques: Use of legitimate system tools and services to evade detection.

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

• Inspect systems for unauthorized services or binaries linked to GRIDTIDE.
• Block suspicious outbound connections to attacker-controlled infrastructure.
• Isolate affected systems and begin forensic investigation.
• Patch vulnerable web servers and network edge devices.
• Reset compromised credentials and enforce multi-factor authentication (MFA).
• Deploy updated endpoint detection tools capable of identifying APT behaviors.
• Implement network segmentation to protect telecom core infrastructure.
• Conduct proactive threat hunting for indicators associated with UNC2814 activity.
• Strengthen monitoring of cloud API usage across enterprise networks.
• Audit network traffic for suspicious connections to Google Sheets APIs or unusual SaaS usage.
• Monitor Linux servers for unauthorized systemd services and binaries such as /usr/sbin/xapt.
• Strengthen monitoring of telecom infrastructure and cloud service usage to detect covert command-and-control channels.

References:

• https://thehackernews.com/2026/02/google-disrupts-unc2814-gridtide.html

• https://www.reuters.com/sustainability/boards-policy-regulation/google-disrupts-chinese-linked-hackers-that-attacked-53-groups-globally-2026-02-25/

• https://www.securityweek.com/google-disrupts-chinese-cyberespionage-campaign-targeting-telecoms-governments/

• https://industrialcyber.co/ransomware/china-linked-unc2814-exploited-google-sheets-api-for-stealth-c2-targeting-telecom-government-networks/

• https://www.ampcuscyber.com/shadowopsintel/global-telecommunications-and-govt-agencies-intrusion-by-unc2814/

• https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breached-dozens-of-telecom-firms-govt-agencies/

• https://securityaffairs.com/188521/apt/google-gtig-disrupted-china-linked-apt-unc2814-halting-attacks-on-53-orgs-in-42-countries.html