Google and Mandiant disrupted a major Chinese cyber-espionage campaign in February 2026 that had compromised 53 victims across 42 countries since 2017, primarily targeting telecommunications providers and government organizations. The operation, dubbed GRIDTIDE, used a novel backdoor that hijacked Google Sheets to secretly communicate with hackers, allowing the suspected China-linked group UNC2814 to blend malicious activity with legitimate cloud traffic while stealing sensitive data including personal information and communications records.
The takedown represents one of the most significant disruptions of Chinese cyber espionage in recent years, according to a detailed report from Google’s Threat Intelligence Group and Mandiant. The coordinated response involved terminating the attackers’ Google Cloud Projects, disabling their infrastructure, and revoking access to the Google Sheets API that served as the operation’s backbone.
During the investigation, security researchers discovered the backdoor had accessed systems containing extensive personally identifiable information, including full names, phone numbers, birth details, and national ID numbers. Google stated that this level of access would enable the attackers to monitor communications and surveil dissidents, activists, and other targets of interest.
The campaign’s focus on telecommunications companies aligns with historical Chinese espionage efforts aimed at stealing call data records and SMS messages for surveillance purposes, according to the report. Beyond the 42 confirmed intrusions, investigators identified an additional 20 nations suspected of being infected.
Technical Innovation and Evasion
The GRIDTIDE backdoor represented a sophisticated evolution in cyber espionage techniques. The malware communicated with its operators by polling specific cells within Google Sheets, making malicious traffic appear as legitimate cloud service usage. Cell A1 received commands, Cell V1 stored victim machine fingerprints, and additional cells handled larger data transfers in 45-kilobyte chunks, according to Google’s technical analysis.
All data transmitted was encoded using a URL-safe Base64 variant to evade web filtering and detection systems. The attackers also leveraged Google Drive to store malware configurations and deployed SoftEther VPN Bridge to create encrypted connections that further obscured their activities.
Once inside networks, UNC2814 moved laterally via SSH using service accounts and established persistence by creating systemd services that would automatically launch malware upon system startup, investigators found.
Google and Mandiant have provided specific detection strategies for organizations, including monitoring for non-browser processes making HTTPS requests to Google Sheets and identifying executables launching from unusual directories. The disruption highlights how legitimate cloud services are increasingly weaponized for espionage, challenging traditional security approaches that trust major platforms by default.
Sources
- Google Cloud
