Exposing the Undercurrent: Disrupting the GRIDTIDE Global Cyber Espionage Campaign
Summary:
UNC2814, a suspected People's Republic of China (PRC)-nexus cyber espionage group active since at least 2017, has orchestrated a massive global espionage campaign targeting telecommunications and government entities across four continents. As of February 18, 2026, investigations confirmed 53 victim intrusions across 42 countries, with suspected infections in at least 20 additional nations. The campaign’s strategic focus centers on exfiltrating personally identifiable information (PII), such as full names, national IDs, and voter IDs, to monitor persons of interest. Historically, this actor targets call data records, SMS messages, and lawful intercept systems for widespread surveillance. Previous reporting on the group documents that they initially focused heavily on Southeast Asia, the Middle East, and Africa, suggesting that the group’s activities typically mirror China’s geopolitical investments. Rather than exploiting zero-day vulnerabilities for post-compromise communication, UNC2814 leverages a novel C-based backdoor dubbed "GRIDTIDE," which stealthily abuses legitimate Google Sheets API functionality for C2. Google Threat Intelligence Group, Mandiant, and partners recently neutralized this threat by terminating the attacker's Google Cloud projects, disabling associated service accounts, and sinkholing infrastructure active since at least 2023. There is no observed overlap between publicly reported UNC2814 and Salt Typhoon activity.
Security Officer Comments:
While the exact initial access vector for this specific campaign remains undetermined, UNC2814 historically gains entry by exploiting and compromising web servers and edge systems. Once inside, the attack chain relies heavily on Living-off-the-Land techniques. In observed intrusions, the threat actor used a compromised service account to move laterally across the environment via SSH. Upon landing on a Linux environment, the attacker drops the GRIDTIDE payload, masquerading it as xapt to blend in with legacy Debian-based package management tools. The threat actor then escalates privileges and executes reconnaissance commands to confirm root access. Persistence is established by creating a systemd service at /etc/systemd/system/xapt.service, allowing the malware to spawn from /usr/sbin/xapt. To maintain outbound encrypted access, UNC2814 also deploys a SoftEther VPN Bridge. Notably, configuration metadata indicates the actor has utilized this specific VPN infrastructure since July 2018.
GRIDTIDE is a sophisticated C-based backdoor that leverages Google Sheets as a high-availability C2 platform. It treats cloud spreadsheets as raw data transfer channels, bypassing traditional web filtering by hiding malicious traffic within benign cloud API requests. GRIDTIDE requires a 16-byte cryptographic key stored locally to execute. It uses this key to decrypt its Google Drive configuration via AES-128 in Cipher Block Chaining mode. The config contains a Google Service Account, its private key, and the target Spreadsheet ID. Upon execution, GRIDTIDE sanitizes the spreadsheet by deleting the first 1,000 rows using the batchClear API method. It then fingerprints the host (collecting username, OS, local IP, language, and timezone) and stores this data in cell V1. The malware polls cell A1 every second for commands. If 120 attempts fail (indicating the attacker is inactive), it falls back to a randomized sleep interval between 5 and 10 minutes. GRIDTIDE uses a URL-safe Base64 encoding scheme (replacing + and / with - and _) for all communications.
Suggested Corrections:
A list of IOCs is available in the GTIG blog post.
GRIDTIDE-Specific
- Hunt for Suspicious API Connectivity: Query network logs for non-browser processes initiating outbound HTTPS requests to Google Sheets URIs (e.g., /batchClear/, /batchUpdate/, /valueRenderOption=FORMULA/).
- Monitor Temporary Directories: Alert on executable execution or short alphanumeric file names launching from the /var/tmp/ directory, especially binaries spawning sh or bash.
- Audit Configuration File Creation: Monitor for .cfg file creation, modification, or movement in restricted system directories (/usr/sbin/, /sbin/, /var/tmp/).
- Block Known IOCs: Implement network-level blocking for the identified C2 domains, SoftEther VPN infrastructure IPs, and GRIDTIDE-specific User-Agent strings.
- Hunt for SoftEther VPN Artifacts: Search environments for unauthorized SoftEther VPN installations (e.g., hamcore.se2, vmlog extracted from update.tar.gz).
General Best Practices
- Harden Edge Infrastructure: Since UNC2814 historically targets web servers and edge systems for initial access, prioritize patching external-facing vulnerabilities and conducting routine vulnerability assessments on perimeter devices.
- Secure Service Accounts: Implement the principle of least privilege for internal service accounts to prevent lateral movement via SSH. Enforce strict key-management policies.
- Implement EDR for LotL Activity: Deploy and tune EDR solutions to identify abnormal process trees (e.g., unauthorized binaries executing sh -c id).
- Protect Telecom & PII Enclaves: Specifically segment and apply elevated monitoring to databases and endpoints housing PII, call data records, SMS data, and lawful intercept systems.