Global Telecommunications & Govt Agencies Intrusion by UNC2814

Published Date: February 27, 2026

Category: ShadowOpsIntel

GTIG in partnership with Mandiant, disrupted a large-scale global cyber espionage campaign attributed to UNC2814, a suspected PRC-nexus threat actor active since at least 2017. The campaign leveraged a novel backdoor named GRIDTIDE, targeting telecommunications providers and government organizations across 42 confirmed countries, with suspected activity in at least 20 more.

Severity: High

Threat Actor: Unc2814

Attribution: Suspected People’s Republic of China (PRC)-nexus cyber espionage group
Operational history: Active since at least 2017
Scope: Confirmed intrusions in 42 countries; suspected targeting in over 70 nations across Africa, Asia, and the Americas.
Primary sectors targeted: Telecommunications (primary focus), and Government organizations.
Objective: Strategic surveillance and intelligence collection, particularly targeting communications data and personally identifiable information (PII).
Distinctness: GTIG noted that UNC2814 activity is distinct from operations publicly reported as “Salt Typhoon”.

The Gridtide Backdoor

The campaign’s primary tool is GRIDTIDE, a sophisticated C-based backdoor.
Its most notable feature is the use of Google Sheets as a high-availability Command and Control (C2) platform. By treating spreadsheets as communication channels rather than documents, the malware hides malicious traffic within legitimate API requests, successfully evading standard network detection.
GRIDTIDE employs a cell-based polling mechanism where cell A1 is monitored for commands, V1 stores victim metadata, and A2-An is used for data transfer.
Employs a URL-safe Base64 encoding scheme to bypass web filtering.
Capabilities: Arbitrary shell execution, file upload/download, and host reconnaissance.

Attack Details

Initial Access: Entry is typically gained by compromising web servers and edge systems.
Privilege Escalation: The actor uses a binary named xapt (masquerading as a Debian tool) to initiate a shell with root privileges.
Persistence: The malware establishes itself as a systemd service at /etc/systemd/system/xapt.service and uses nohup to ensure it continues running after sessions close.
Lateral Movement: Actors utilize service accounts to move through environments via SSH.
Data Exfiltration: Deploys SoftEther VPN Bridge to establish encrypted outbound connections for exfiltrating sensitive PII and potentially call data records.

Recommendations

Monitor and alert on non-browser processes or service accounts making HTTPS connections to sheets.googleapis.com with parameters including batchClear, batchUpdate, or valueRenderOption=FORMULA
Monitor for executables with alphanumeric-named binaries (e.g., xapt), launching from the /var/tmp/ directory, and spawning a shell.
Regularly audit /etc/systemd/system/ for new or suspicious services. UNC2814 establishes persistence by creating a malicious service file (e.g., xapt.service) to ensure the backdoor survives reboots.
Monitor for unauthorized deployments of SoftEther VPN Bridge.
Identify configuration files being created at, modified, or moved to unexpected locations (like /usr/sbin, /sbin, or /var/tmp).
Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/5ff573f02433c41ead328396131c5567be798fa755ca8b66db659cb4ddf68ebe/iocs

Mitre Att&Ck

Tactic	Technique Name	Technique ID	Activity/Description
Initial Access	Exploit Public-Facing Application	T1190	UNC2814 historically gained entry via exploitation of web servers and edge systems
Execution	Command and Scripting Interpreter: Unix Shell	T1059.004	Execution of sh -c id 2>&1
Persistence	Create or Modify System Process: Systemd Service	T1543.002	Creates a systemd service for the malware at /etc/systemd/system/xapt.service.
Privilege Escalation	Exploitation for Privilege Escalation	T1068	Initiates a shell with root privileges from /var/tmp/xapt.
Defense Evasion	Masquerading: Match Legitimate Name or Location	T1036.005	Uses the name xapt to masquerade as a legacy Debian tool.
	Data Encoding: Standard Encoding	T1132.001	Employs a URL-safe Base64 encoding scheme to bypass web filtering and detection.
Lateral Movement	Remote Services: SSH	T1021.004	Moves laterally within compromised environments using service accounts via SSH.
Command and Control	Web Service: Bidirectional Communication	T1102.002	Abuses legitimate Google Sheets API functionality as a communication channel for C2.
	Application Layer Protocol: Web Protocols	T1071.001	Leverages HTTPS requests to sheets.googleapis.com for command polling.
	External Remote Services	T1133	Deploys SoftEther VPN Bridge for outbound encrypted connections.
Exfiltration	Exfiltration Over Web Service: Exfiltration to Cloud Storage	T1567.002	Transfers victim data and host metadata into Google Sheet cells (A2:An and V1).

Source:

https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.