Google disrupts China-linked cyber espionage on telecoms

Google's Threat Intelligence Group and Mandiant have disrupted infrastructure linked to UNC2814, a suspected China-nexus espionage group, after identifying dozens of intrusions affecting telecommunications providers and government organisations across multiple regions.

Investigators confirmed 53 intrusions involving organisations in 42 countries and identified suspected targeting in more than 20 others. The activity focused on telecoms networks and public sector bodies.

The disruption involved action across Google's cloud and domain ecosystem. Google terminated attacker-controlled Cloud Projects, disabled known accounts, and sinkholed current and historical domains linked to the operation. Sinkholing redirects malicious traffic to systems controlled by defenders, cutting off access and providing visibility into attempted connections.

Researchers assessed that UNC2814 has been active since at least 2017 and spent years building infrastructure and operational access. They described the takedown as a significant setback given the operation's scale and footprint.

Victim profile

UNC2814 primarily targeted global telecommunications providers and government organisations. While visibility into stolen data was limited, the intrusions appeared designed to access communications-related information, including personally identifiable information, call logs, and text message traffic.

In multiple confirmed compromises, the group sought "highly sensitive PII", including National and Voter ID numbers. Industry assessments of similar activity note that such data can be used to track individuals and correlate communications patterns when combined with telecom metadata.

Google issued formal victim notifications to each confirmed target and is supporting organisations with verified compromises tied to the activity.

No overlap claim

The findings come amid heightened attention on cyber operations against telecoms and government networks. Researchers said they have seen no overlap between UNC2814 and "Salt Typhoon".

Google has tracked UNC2814 for nearly a decade and considers it a distinct group with different victimology, tactics, and infrastructure. That distinction matters for defenders, as incident response and threat hunting often rely on indicators, infrastructure patterns, and tooling associated with a specific cluster.

Spreadsheet control

The investigation highlighted a backdoor dubbed GRIDTIDE, identified after a Mandiant investigation accelerated understanding of the campaign. The C-based malware used cloud spreadsheets as command-and-control infrastructure and supported the transfer of raw data from victim environments.

In the sample analysed, GRIDTIDE connected to a threat actor-controlled Google Spreadsheet for command and control. Because the traffic can resemble ordinary SaaS activity at the network layer, detection may be difficult without strong controls and monitoring for outbound connections to widely used cloud services.

Researchers stressed that this did not stem from a security vulnerability or exploit in Google Sheets. Instead, the activity abused legitimate Google Sheets functionality.

The report also pointed to a broader trend: actors increasingly abuse SaaS platforms rather than building and maintaining custom infrastructure. In many environments, cloud productivity services are allowed by default, creating opportunities for attackers to hide in permitted traffic.

Adaptable tooling

Although the analysed sample used Google Sheets, researchers said the architecture was adaptable and could be shifted to other cloud-based spreadsheet tools. Many SaaS services offer APIs and automation features that can be repurposed for remote tasking and data exchange.

Based on the sample reviewed, the earliest known deployment of GRIDTIDE dates to late 2025. Researchers expect more details about earlier compromises to emerge as organisations search for signs of compromise using newly published indicators and hunting signals.

For telecoms operators, the case adds to a growing set of incidents in which attackers have sought long-term access to environments that carry communications metadata, subscriber records, and operational systems. The combination of espionage-driven targeting and living-off-the-land techniques in common SaaS ecosystems is increasing pressure on security teams to detect unusual usage patterns, rather than relying only on blocking known malicious domains.

Google framed the disruption as a major blow to the group's operations.