- Google, Mandiant, and partners disrupted UNC2814 espionage campaign
- Group used GridTide backdoor leveraging Google Sheets API for C2
- Operation hit 53 organizations in 42 countries since 2023; attacker infrastructure and accounts disabled
Google has managed to take down a global espionage network which targeted government and telecom organizations in more than 40 countries around the world.
In a new research report, Google said that its Threat Intelligence Group (GTIG), together with Mandiant and other partners discovered a Chinese state-affiliated threat actor tracked as UNC2814 running a new spy campaign.
In this newest campaign, the group was deploying a previously unseen backdoor malware called GridTide, which leveraged the Google Sheets API for C2 infrastructure. Instead of connecting to a remote server somewhere to receive instructions and exfiltrate data, the backdoor makes HTTPS requests to legitimate Google infrastructure, blending with normal enterprise traffic and thus not raising any alarms.
Disrupting the attackers
All of the commands are stored in a spreadsheet cell of a document belonging to the attackers. The operators insert encoded instructions into specific rows or cells, and the malware then periodically checks, decodes, and executes them.
In some cases, exfiltrated data can also be written back into the sheet – however, GTIG said it did not observe any instances of data exfiltration.
UNC2814 is a relatively known threat actor, with reports of its activity dating back to 2017 and possibly before.
The campaign started in 2023 and affected at least 53 organizations in 42 countries. Google suspects that UNC2814 is present in at least 20 more countries. Most of Latin America, Eastern Europe, Russia, parts of Africa and parts of South Asia seem to have been hit. With the exception of Portugal, Western Europe is mostly unscathed. The US was not touched, as well.
As part of the disruption efforts, Google terminated all Google Cloud Projects the attackers controlled, severing their persistent access to environments compromised by GridTide. They identified and disabled all known UNC2814 infrastructure, disabled attacker accounts, and revoked access to the Google Sheets API calls. Finally, it released a set of IoCs linked to UNC2814 infrastructure active since at least 2023.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/MPfrfBiAx7wKAix6yiWWUC-2560-80.jpg
Source link
