Spies love Google Sheets.
That’s the punchline to this espionage farce. Google Threat Intelligence Group and Mandiant just disrupted GRIDTIDE, a slick GRIDTIDE cyber espionage campaign from UNC2814—a China-nexus crew that’s been prowling since 2017. They hit telecoms and governments in 53 spots across 42 countries, four continents. No overlaps with Salt Typhoon, mind you; different playbook. And get this: attackers didn’t hack flaws. Nope. They abused working APIs to mask C2 as boring SaaS chatter. Lazy genius.
Google terminated their Cloud projects, nuked infrastructure, axed accounts, revoked Sheets API access. Boom. Persistent GRIDTIDE backdoors? Severed. IOCs dumped for everyone else to chase. Mandiant spotted it first via SecOps on a CentOS box—suspicious /var/tmp/xapt binary spawning root shells, checking ‘id’ like a tourist confirming his VIP status.
The payload was likely named xapt to masquerade as the legacy tool used in Debian-based systems.
Cute disguise. Failed anyway.
How Did GRIDTIDE Sneak In Using Your Legit Tools?
Look, attackers dropped nohup ./xapt for persistence, spun up systemd services, even rolled out SoftEther VPN for encrypted outbound since 2018. LotL binaries everywhere—SSH lateral moves, recon on PII troves: names, phones, DOBs, voter IDs. National secrets on endpoints ripe for the picking.
But here’s the kicker—they phoned home via Google Sheets API. Legit calls. No vuln exploits. Cloud products hummed along perfectly, laundering spy traffic as office drone work. Telcos? Governments? Still wide open if you’re not watching.
Mandiant’s detection flagged the process tree: xapt births sh, runs ‘id 2>&1’, spits uid=0(root). Privilege pop confirmed. They triaged, alerted the victim. Shared Fate model in action—OOB detections that actually catch sophisticates.
And persistence? /etc/systemd/system/xapt.service launches /usr/sbin/xapt. Nohup keeps it alive post-session. Then VPN to sketchy IPs. This ain’t script kiddies.
Why Hasn’t China Quit These Cloud Tricks Yet?
Short answer: they work. UNC2814’s been at it years, web servers and edges as entry points historically. No initial vector pinned here, but pattern’s clear. And PII grabs? That’s the gold—full dossiers for blackmail, ops, whatever Beijing craves.
My hot take—and it’s one the Google report skips: this reeks of post-Snowden laziness. Remember Equation Group’s firmware infections? Deep, nasty. GRIDTIDE’s shallower, cloud-dependent. Prediction: expect GRIDTIDE 2.0 by summer, pivoting to Microsoft 365 or AWS S3. Why? Attribution’s cheap now; disruption’s a speedbump. China’s got infinite actors—UNC this, UNC that. Google pats itself on the back, but telcos worldwide? Still serving espionage on a platter.
Dry humor aside, it’s infuriating. These creeps target Africa to Americas, no mercy. 20 more suspected countries. And no Salt Typhoon link? Good—means the field’s crawling with variants.
Post-compromise was textbook LotL. Service accounts for SSH hops. Recon, escalate, persist. Dropped GRIDTIDE on PII-heavy boxes. Voter IDs? National IDs? That’s not casual theft; it’s statecraft prep.
Google’s move was surgical—killed projects, disabled C2, shared IOCs from 2023. Mandiant accelerated it with their probe. But let’s call the PR spin: “Shared Fate model” sounds noble, but it’s just good telemetry paying off. Victims still got owned first.
Is Your Telecom a Chinese Spy Buffet?
Probably. If you’re running edge servers without SecOps-grade eyes, yes. UNC2814 loves web compromises. GRIDTIDE’s lifecycle? Infect, escalate, persist via services, VPN out, Sheets C2. Repeat.
Historical parallel they ignore: like Duqu in 2011, but cloudier. Nation-states evolve—firmware to SaaS abuse. Bold call: disruptions like this spike short-term, but ops volume rises. Beijing’s not sweating; they’re recruiting.
Victims span continents—telecoms leaking calls, govs spilling secrets. 42 confirmed, 20+ brewing. And PII focus? Cozy for influence ops.
Google Cloud’s clean—no product bugs. Attackers just rode the rails. Smart? Yes. Defeatable? Apparently, till next time.
One-paragraph rant: companies hype “secure by design,” but state actors laugh, filing taxes via your APIs.
🧬 Related Insights
- Read more: Venom PhaaS Powers Ruthless Credential Grabs from C-Suite Targets
- Read more: Jurassic Fish’s Fatal Squid Snack: A 150-Million-Year Cyber Warning?
Frequently Asked Questions
What is the GRIDTIDE backdoor?
GRIDTIDE’s a novel implant from UNC2814, persisting via systemd, using SoftEther VPN, and C2’ing over Google Sheets API to blend in.
Who is behind GRIDTIDE cyber espionage?
UNC2814, China-linked since 2017, targeting telcos and govs in 42+ countries—no Salt Typhoon ties.
How did Google disrupt GRIDTIDE?
Terminated Cloud projects, disabled infrastructure/accounts/APIs, released IOCs—done with Mandiant.
