Google on Wednesday revealed that it collaborated with industry partners to dismantle the digital infrastructure of a suspected China-aligned cyber espionage group known as UNC2814, which compromised at least 53 organizations spanning 42 countries.
“This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas,” Google Threat Intelligence Group (GTIG) and Mandiant said in a report published today.
UNC2814 is believed to be associated with additional breaches across more than 20 other nations. Google, which has monitored the group since 2017, observed the attackers leveraging API requests to interact with software-as-a-service (SaaS) platforms as part of their command-and-control (C2) framework. This method allowed the threat actor to blend malicious communications with normal traffic patterns.
At the core of the campaign is a previously undocumented backdoor named GRIDTIDE. The malware exploits the Google Sheets API as a covert channel for C2 operations, enabling attackers to conceal communications while transferring raw data and executing shell commands. Written in C, GRIDTIDE supports file uploads and downloads, along with arbitrary command execution.
Dan Perez, GTIG researcher, told The Hacker News via email that they cannot confirm if all the intrusions involved the use of the GRIDTIDE backdoor. “We believe many of these organizations have been compromised for years,” Perez added.
Investigators are still examining how UNC2814 gains its initial foothold. However, the group has a documented track record of exploiting web servers and edge devices to infiltrate targeted networks. Once inside, the attackers reportedly used service accounts to move laterally via SSH, while relying on living-off-the-land (LotL) tools to perform reconnaissance, elevate privileges, and maintain long-term persistence.
“To achieve persistence, the threat actor created a service for the malware at /etc/systemd/system/xapt.service, and once enabled, a new instance of the malware was spawned from /usr/sbin/xapt,” Google explained.
The campaign also involved the use of SoftEther VPN Bridge to establish encrypted outbound connections to external IP addresses. Security researchers have previously linked misuse of SoftEther VPN technology to several Chinese state-sponsored hacking groups.
Evidence suggests that GRIDTIDE was deployed on systems containing personally identifiable information (PII), aligning with espionage objectives aimed at monitoring individuals of strategic interest. Despite this, Google stated that it did not detect any data exfiltration during the observed operations.
The malware’s communication mechanism relies on a spreadsheet-based polling system, assigning specific functions to designated cells for two-way communication:
- A1: Used to retrieve attacker-issued commands and update status responses (e.g., S-C-R or Server-Command-Success)
- A2–An: Facilitates the transfer of data such as command outputs and files
- V1: Stores system-related data from the compromised endpoint
In respon
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: