Google announced on Wednesday that it dismantled a Chinese-linked hacking operation that had infiltrated at least 53 organizations across 42 countries, describing it as “a vast surveillance apparatus used to spy on people and organizations throughout the world.”
The hacking group, tracked as UNC2814 and also known as “Gallium,” has a nearly decade-long history of penetrating government agencies and telecommunications companies, according to findings that Google shared exclusively with Reuters. Google’s Threat Intelligence Group confirmed that as of February 18, the group had also been identified with suspected infections in at least 20 additional countries across four continents.
A Backdoor Hidden in Spreadsheets
The operation centered on a novel backdoor called GRIDTIDE, a C-based malware that used Google Sheets as a command-and-control platform — treating the spreadsheet application not as a document but as a covert communication channel to transfer raw data and shell commands. The technique allowed the hackers’ traffic to blend into legitimate cloud API requests, evading standard network detection tools.
Google stressed this was not a compromise of any of its products. “Rather, it abuses legitimate Google Sheets API functionality to disguise C2 traffic,” the company wrote in a technical blog post.
Charlie Snyder, a senior manager at Google Threat Intelligence Group, said in one case the group installed GRIDTIDE on a system containing full names, phone numbers, dates of birth, places of birth, voter identification numbers, and national ID numbers. Google assessed the targeting was consistent with efforts to identify and track select individuals. “Similar campaigns have been used to exfiltrate call data records, monitor SMS messages, and to even monitor targeted individuals through the telco’s lawful intercept capabilities,” the company said.
