Advisory ID: NCC-CSIRT-2026-012
Summary:
The Nigerian Communications Commission Computer Security Incident Response Team (NCC-CSIRT) is issuing this advisory to alert Telecommunications Operators, Internet Service Providers, and critical information infrastructure stakeholders about a global cyber espionage campaign involving the GRIDTIDE backdoor and the advanced threat actor UNC2814.
The campaign primarily targets telecommunications providers and government organizations worldwide and has affected dozens of organizations across multiple countries. The threat actor uses stealth malware, cloud services, and persistent backdoors to gain long-term access to telecom networks and sensitive communications data.
Damage: Critical
Probability: High
Product(s)/Platform(s):
The campaign does not target a specific vendor product but rather infrastructure commonly used in telecommunications environments, including:
- Linux Servers and Web Servers
- Edge Network Devices
- Telecom Core Network Systems
- Subscriber Databases
- Call Data Record (CDR) Systems
- Network Management Systems
- Cloud Infrastructure and SaaS Platforms
Indicators of Compromise (IOCs):
- Suspicious connections to Google Sheets API or unusual SaaS API traffic
- Unknown system services (e.g., xapt.service)
- Unauthorized SSH lateral movement
- Use of SoftEther VPN connections
- Unknown service accounts
- Persistent malware in /usr/sbin directories
- Unusual outbound encrypted connections
- Cloud API traffic from servers that normally do not use cloud services
Description:
The UNC2814 campaign is a long-running cyber espionage operation active since at least 2017, targeting telecommunications and government networks globally. The attackers deploy the GRIDTIDE backdoor, a C-based malware that uses legitimate cloud services, particularly Google Sheets API, as a command-and-control (C2) channel to disguise malicious traffic as normal cloud activity.
Instead of connecting to traditional malicious servers, the malware communicates with attacker-controlled spreadsheets, where commands are stored in spreadsheet cells and executed on compromised systems. The malware can execute shell commands, upload and download files, and collect system information from infected hosts.
Attackers typically gain initial access by exploiting vulnerable web servers or edge network devices. After gaining access, they establish persistence by installing the malware as a system service and move laterally through the network using service accounts and SSH connections. Encrypted tunnels such as SoftEther VPN are used to maintain covert communication and potentially exfiltrate sensitive data such as personally identifiable information, call logs, and communications metadata.
The campaign specifically targets telecommunications networks because access to telecom infrastructure can enable surveillance, monitoring of communications, and tracking of individuals through call data records and messaging metadata.
Impacts:
- Gain persistent access to telecom networks
- Monitor communications and subscriber data
- Access call data records and SMS metadata
- Conduct surveillance on targeted individuals
- Move laterally across telecom infrastructure
- Maintain long-term undetected access
- Compromise government communications
- Access lawful interception systems
Threat Types:
- Cyber Espionage
- Advanced Persistent Threat (APT)
- Backdoor Malware
- Command and Control (C2)
- Data Exfiltration
- Network Intrusion
- Persistence / Unauthorized Access
Solutions/Mitigations:
NCC-CSIRT recommends the following mitigation steps:
- Patch and secure all public-facing web servers and edge devices.
- Strictly monitor outbound connections to cloud services such as Google Sheets, Google Drive, and other SaaS platforms.
- Implement network segmentation within telecom infrastructure.
- Monitor for unauthorized system services and persistence mechanisms.
- Audit service accounts and SSH access logs.
- Deploy Endpoint Detection and Response (EDR) solutions on critical servers.
- Implement multi-factor authentication for administrative accounts.
- Monitor VPN usage and block unauthorized VPN tools such as SoftEther.
- Conduct threat hunting for advanced persistent threats.
- Review access to subscriber databases and call data record systems.
References: