Disrupting the GRIDTIDE Global Cyber Espionage Campaign
Essential information
- Published
- 26/02/2026 11:04
- Modified
- 26/02/2026 12:59
- Tags
- 2026-02-26 api abuse backdoor china cyber espionage google sheets government gridtide telecommunications
- Related entities
- 18 observables, 1 intrusion sets (apt), 1 malware, 174 others
Description
A global espionage campaign targeting telecommunications and government organizations across four continents has been disrupted. The threat actor, UNC2814, is suspected to be linked to China and has been active since 2017. The campaign utilized a sophisticated backdoor called GRIDTIDE, which leveraged Google Sheets API for command and control. The attackers compromised 53 victims in 42 countries, with suspected infections in 20 more. GRIDTIDE's capabilities include executing shell commands, file transfers, and evading detection by disguising traffic as legitimate cloud API requests. The disruption involved terminating attacker-controlled cloud projects, disabling infrastructure, and revoking API access.