UrsaClimb Logo

Google catches Beijing spies using Sheets to spread espionage across 4 continents

The Register
February 25, 2026
AI-Generated Deep Dive Summary
Google's Threat Intelligence Group (GTIG) successfully disrupted UNC2814, a China-linked cyberespionage group targeting telecommunication companies and government organizations across four continents. The campaign involved the use of legitimate Google Sheets API functionality to disguise command-and-control (C2) traffic, enabling the attackers to execute malicious activities, including data retrieval and lateral movement within compromised networks. GTIG collaborated with unnamed industry partners to terminate all Google Cloud Projects controlled by UNC2814, disable infrastructure, and revoke access to the exploited tools. The operation revealed that UNC2814 had infiltrated 53 victims in 42 countries, with suspected infections in at least 20 more nations. The group employed a novel backdoor named Gridtide, which leveraged SoftEther VPN Bridge for encrypted communication and facilitated root-level access to systems. This allowed the attackers to escalate privileges, deploy malicious payloads, and establish persistent control over targeted environments. The campaign highlights the sophisticated tactics used by state-sponsored actors to exploit legitimate tools like Google Sheets for espionage purposes. While no evidence of data theft was observed in this particular incident, the presence of Gridtide on compromised endpoints suggests potential surveillance efforts targeting sensitive personal information. GTIG's tech lead noted that such access could enable large-scale monitoring operations, aligning with historical Chinese state-sponsored activities. This development underscores the growing threat of cyberespionage, particularly against critical infrastructure and government entities. The involvement of Google in identifying and disrupting UNC2814 demonstrates the importance of collaboration between tech companies and cybersecurity teams in countering advanced persistent threats (APTs). For readers interested in tech and cybersecurity, this case emphasizes the need for vigilance in securing cloud environments and understanding how attackers may misuse familiar tools to carry out malicious activities.
Verticals
tech
Originally published on The Register on 2/25/2026