Google, Mandiant Disrupt Global Espionage Campaign Abusing Google Sheets as Covert Command Channel
Relying on Stealth Rather Than Being a Smash-and-Grab Attack Exploiting a Glaring Vulnerability

Google Threat Intelligence Group (GTIG), alongside Mandiant and other partners, recently moved to dismantle a sweeping cyber espionage campaign targeting telecommunications providers and government organisations across four continents.
At the centre of the operation is UNC2814, a suspected People’s Republic of China (PRC)-nexus threat actor that GTIG has tracked since 2017. The group has a long history of infiltrating international governments and global telecommunications firms across Africa, Asia, and the Americas. At the time of disruption, confirmed intrusions had been identified in 42 countries, with 53 verified victims and suspected infections in at least 20 additional nations.
Notably, this was not a smash-and-grab attack exploiting a glaring vulnerability. Instead, UNC2814 relied on stealth.
The group abused legitimate cloud functionality—specifically Google Sheets API calls—as command-and-control (C2) infrastructure. By embedding malicious communications within ordinary SaaS traffic, the attackers were able to disguise their activity as benign. Rather than breaking the system, they made the system work for them.
According to GTIG, the activity was not the result of a flaw in Google’s products. The attackers leveraged legitimate Google Sheets API functionality to mask their traffic and operate undetected.
Mandiant Finds Backdoor Named GRIDTIDE
Mandiant’s investigation accelerated GTIG’s understanding of the campaign, uncovering a novel C-based backdoor tracked as GRIDTIDE.
The malware was first flagged when suspicious activity appeared on a CentOS server. Analysts identified a process originating from /var/tmp/xapt, which spawned a shell with root privileges and executed the command sh -c id 2>&1 to confirm privilege escalation. The output revealed full root access.
The filename “xapt” was likely chosen to mimic the legacy package management tool used in Debian-based systems—an example of subtle deception embedded within the attack chain.

Post-compromise, UNC2814 moved laterally via SSH using a service account and living-off-the-land binaries. To maintain persistence, the actor created a malicious service at /etc/systemd/system/xapt.service, ensuring the malware relaunched from /usr/sbin/xapt upon execution.
SoftEther VPN Bridge was then deployed to establish an outbound encrypted connection to external infrastructure, which investigators believe has been in use since July 2018.
More concerning, GRIDTIDE was deployed on endpoints containing personally identifiable information (PII), including full names, phone numbers, dates and places of birth, voter ID numbers, and national ID numbers. While GTIG did not directly observe data exfiltration in this specific campaign, historical PRC-linked intrusions into telecommunications networks have involved the theft of call data records, unencrypted SMS messages, and the abuse of lawful intercept systems.
The implication is clear: access of this nature enables surveillance.

A Spreadsheet as a Command Centre
GRIDTIDE transforms a Google spreadsheet into a covert communications hub.
The malware connects to an attacker-controlled Google Sheet using a compromised service account. It sanitises the document by deleting the first 1,000 rows across columns A to Z before initiating a polling mechanism. Specific cells are assigned roles: A1 for commands and status responses, A2 onward for data transfer, and V1 for encoded host reconnaissance data.
Commands follow a four-part syntax, allowing the attacker to execute shell commands, upload files, or download data in fragments. Responses are written back into the spreadsheet, confirming success or returning error messages.
All traffic is encoded using a URL-safe Base64 scheme, replacing traditional characters to evade detection and web filtering tools.
In short, the spreadsheet is no longer a document—it is a communication channel.
A Global Footprint
UNC2814’s targeting scope is extensive. GTIG confirmed intrusions in 42 countries and identified suspected operations in at least 20 more. The campaign primarily targeted telecommunications providers, though government organisations were also impacted.
Notably, GTIG stated that UNC2814’s activity does not overlap with publicly reported operations attributed to “Salt Typhoon,” and employs distinct tactics, techniques, and procedures.
Although the precise initial access vector in this campaign remains undetermined, UNC2814 has historically gained entry by exploiting web servers and edge systems.
Disruption Efforts
To counter the operation, GTIG executed coordinated disruption measures:
All Google Cloud projects controlled by the attacker were terminated, severing persistent GRIDTIDE access. Known UNC2814 infrastructure was identified and disabled, including the sinkholing of current and historical domains. Attacker accounts were revoked, and access to Google Sheets APIs used for C2 was disabled.
GTIG also issued formal victim notifications and released a collection of indicators of compromise (IOCs) tied to UNC2814 infrastructure active since at least 2023.
Detection signatures were refined and implemented across Google Security Operations (SecOps), enabling customers to identify suspicious behaviours such as shell execution from /var/tmp/, anomalous SSH file access, and unusual Google Sheets API connections initiated by non-browser processes.
An Ongoing Contest
The scale of UNC2814’s activity—confirmed or suspected across more than 70 countries—underscores the evolving threat facing telecommunications and government sectors. Campaigns of this breadth are rarely opportunistic; they are typically the result of sustained, multi-year effort.
GTIG expects UNC2814 to attempt to re-establish its global footprint.
The broader lesson, however, is not limited to one threat actor. As cloud services become foundational to digital operations, attackers are increasingly embedding themselves within legitimate infrastructure rather than breaking through it.
In today’s cybersecurity landscape, the line between normal traffic and malicious intent is becoming harder to distinguish.
And sometimes, the command centre is hiding in plain sight—inside a spreadsheet.



