Global Telecommunications & Govt Agencies Intrusion by UNC2814

Published Date: February 27, 2026
Category: ShadowOpsIntel
Share:

GTIG in partnership with Mandiant, disrupted a large-scale global cyber espionage campaign attributed to UNC2814, a suspected PRC-nexus threat actor active since at least 2017. The campaign leveraged a novel backdoor named GRIDTIDE, targeting telecommunications providers and government organizations across 42 confirmed countries, with suspected activity in at least 20 more.

Severity: High

Threat Actor: Unc2814

  • Attribution: Suspected People’s Republic of China (PRC)-nexus cyber espionage group
  • Operational history: Active since at least 2017
  • Scope: Confirmed intrusions in 42 countries; suspected targeting in over 70 nations across Africa, Asia, and the Americas.
  • Primary sectors targeted: Telecommunications (primary focus), and Government organizations.
  • Objective: Strategic surveillance and intelligence collection, particularly targeting communications data and personally identifiable information (PII).
  • Distinctness: GTIG noted that UNC2814 activity is distinct from operations publicly reported as “Salt Typhoon”.

The Gridtide Backdoor

  • The campaign’s primary tool is GRIDTIDE, a sophisticated C-based backdoor.
  • Its most notable feature is the use of Google Sheets as a high-availability Command and Control (C2) platform. By treating spreadsheets as communication channels rather than documents, the malware hides malicious traffic within legitimate API requests, successfully evading standard network detection.
  • GRIDTIDE employs a cell-based polling mechanism where cell A1 is monitored for commands, V1 stores victim metadata, and A2-An is used for data transfer.
  • Employs a URL-safe Base64 encoding scheme to bypass web filtering.
  • Capabilities: Arbitrary shell execution, file upload/download, and host reconnaissance.

Attack Details

  • Initial Access: Entry is typically gained by compromising web servers and edge systems.
  • Privilege Escalation: The actor uses a binary named xapt (masquerading as a Debian tool) to initiate a shell with root privileges.
  • Persistence: The malware establishes itself as a systemd service at /etc/systemd/system/xapt.service and uses nohup to ensure it continues running after sessions close.
  • Lateral Movement: Actors utilize service accounts to move through environments via SSH.
  • Data Exfiltration: Deploys SoftEther VPN Bridge to establish encrypted outbound connections for exfiltrating sensitive PII and potentially call data records.

Recommendations

  1. Monitor and alert on non-browser processes or service accounts making HTTPS connections to sheets.googleapis.com with parameters including batchClear, batchUpdate, or valueRenderOption=FORMULA
  2. Monitor for executables with alphanumeric-named binaries (e.g., xapt), launching from the /var/tmp/ directory, and spawning a shell.
  3. Regularly audit /etc/systemd/system/ for new or suspicious services. UNC2814 establishes persistence by creating a malicious service file (e.g., xapt.service) to ensure the backdoor survives reboots.
  4. Monitor for unauthorized deployments of SoftEther VPN Bridge.
  5. Identify configuration files being created at, modified, or moved to unexpected locations (like /usr/sbin, /sbin, or /var/tmp).
  6. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/5ff573f02433c41ead328396131c5567be798fa755ca8b66db659cb4ddf68ebe/iocs

Mitre Att&Ck

TacticTechnique NameTechnique IDActivity/Description
Initial AccessExploit Public-Facing ApplicationT1190UNC2814 historically gained entry via exploitation of web servers and edge systems
ExecutionCommand and Scripting Interpreter: Unix ShellT1059.004Execution of sh -c id 2>&1
PersistenceCreate or Modify System Process: Systemd ServiceT1543.002Creates a systemd service for the malware at /etc/systemd/system/xapt.service.
Privilege EscalationExploitation for Privilege EscalationT1068Initiates a shell with root privileges from /var/tmp/xapt.
Defense EvasionMasquerading: Match Legitimate Name or LocationT1036.005Uses the name xapt to masquerade as a legacy Debian tool.
 Data Encoding: Standard EncodingT1132.001Employs a URL-safe Base64 encoding scheme to bypass web filtering and detection.
Lateral MovementRemote Services: SSHT1021.004Moves laterally within compromised environments using service accounts via SSH.
Command and ControlWeb Service: Bidirectional CommunicationT1102.002Abuses legitimate Google Sheets API functionality as a communication channel for C2.
 Application Layer Protocol: Web ProtocolsT1071.001Leverages HTTPS requests to sheets.googleapis.com for command polling.
 External Remote ServicesT1133Deploys SoftEther VPN Bridge for outbound encrypted connections.
ExfiltrationExfiltration Over Web Service: Exfiltration to Cloud StorageT1567.002Transfers victim data and host metadata into Google Sheet cells (A2:An and V1).

Source:

  • https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert