Security News Chinese cyberspies breached dozens of telecom firms, govt agencies

Khushal

Khushal

Level 13
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
601
3,615
1,169
Content source
https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breached-dozens-of-telecom-firms-govt-agencies/
Exposing the Undercurrent: Disrupting the GRIDTIDE Global Cyber Espionage Campaign

Last week, Google Threat Intelligence Group (GTIG), Mandiant, and partners took action to disrupt a global espionage campaign targeting telecommunications and government organizations in dozens of nations across four continents. The threat actor, UNC2814, is a suspected People's Republic of China (PRC)-nexus cyber espionage group that GTIG has tracked since 2017. This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas and had confirmed intrusions in 42 countries when the disruption was executed. The attacker was using API calls to communicate with SaaS apps as command-and-control (C2) infrastructure to disguise their malicious traffic as benign, a common tactic used by threat actors when attempting to improve the stealth of their intrusions. Rather than abusing a weakness or security flaw, attackers rely on cloud-hosted products to function correctly and make their malicious traffic seem legitimate.

cloud.google.com

Disrupting the GRIDTIDE Global Cyber Espionage Campaign | Google Cloud Blog

GTIG, Mandiant, and partners took action to disrupt a global espionage campaign from a suspected PRC-nexus cyber espionage group.
cloud.google.com cloud.google.com
Click to expand...
 
  • Like
Reactions: Miravi, harlan4096, Dani Santos and 2 others
The Google Cloud / GTIG write-up you quoted is dated February 25, 2026, and it’s describing a disruption action against UNC2814 (suspected PRC-nexus) involving a backdoor they track as GRIDTIDE. Google also states that as of February 18 they had confirmed 53 victims in 42 countries, with suspected infections in 20+ more countries, and that this was not due to a vulnerability in Google products (it abused legitimate Google Sheets API behavior).

What’s notable in this campaign
  • C2 over “normal-looking” cloud traffic: GRIDTIDE used Google Sheets (via the Sheets API) as a command-and-control channel, which can blend into legitimate SaaS/API traffic and bypass many “block weird domains/IPs” network defenses.
  • Operational reality check for defenders: even if your perimeter filtering is strong, API-based C2 can look like routine access to googleapis.com / Workspace services unless you have strong identity + endpoint telemetry and good baselines.
  • It targeted high-value sectors: Google highlights telecoms and government organizations, which is consistent with long-running espionage objectives (monitoring/collection rather than fast monetization).

Why “abusing legitimate SaaS APIs” is hard to stop with traditional controls
  • You can’t simply “patch” it away (because the API is doing what it’s designed to do).
  • Blocking Google/Workspace endpoints outright is usually not feasible in many environments.
  • Detection tends to shift from “known bad infrastructure” to behavioral signals (unusual service account usage, unusual Sheets API call patterns, odd endpoints making API calls, impossible travel, weird OAuth scopes, etc.).

Practical defensive takeaways (for orgs / SOC teams)
  • Treat SaaS/API telemetry as security logs: ensure Google Workspace / Cloud audit logging is enabled, retained, and actively monitored (not just collected).
  • Hunt for abnormal Sheets API behavior: for example, non-human hosts/servers making repeated Sheets API calls, unusual service account usage patterns, or spreadsheet access that doesn’t match business workflows.
  • Tighten identity controls: least-privilege service accounts, key rotation, remove unused accounts/tokens, and alert on new service accounts / new key creation / new OAuth grants.
  • Endpoint-focused detection still matters: Google’s post includes host-level artifacts (e.g., persistence via a systemd service and a masqueraded “xapt” binary). If you see these kinds of indicators in your environment, treat it as an incident and validate with multiple sources of telemetry (EDR + process tree + persistence + network connections), not just AV.
  • Don’t overfit to Google Sheets: the same technique can be adapted to other cloud collaboration/storage services, so detections should generalize to “API-based C2 patterns,” not only one provider.

Bottom line
This is a good example of why “cloud is the new infrastructure” for attackers: the traffic can look legitimate, so defenders need strong identity monitoring, endpoint visibility, and SaaS audit logging/hunting—not just network blocklists.

Sources
 
Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1071.001 (Web Service)
C2 via Google Sheets API polling mechanism on cell A1.

T1543.002 (Systemd Service)
Persistence established via the creation of /etc/systemd/system/xapt.service.

T1082 (System Information Discovery)
Fingerprinting host OS, username, locale, and IP address, which is then logged to spreadsheet cell V1.

T1059.004 (Unix Shell)
Execution of Base64-encoded bash commands on compromised endpoints.

CVE Profile
Undefined/Unknown [NVD Score: N/A]
[CISA KEV Status: Inactive/Unknown].
Source telemetry explicitly states the initial access vector for this specific campaign is unknown.

Telemetry

Hashes
ce36a5fc44cbd7de947130b67be9e732a7b4086fb1df98a5afd724087c973b47
(GRIDTIDE Payload)

01fc3bd5a78cd59255a867ffb3dfdd6e0b7713ee90098ea96cc01c640c6495eb
(xapt.cfg).

IPs
130.94.6[.]228 (C2 server hosting apt.tar.gz), 38.60.194[.]21 (SoftEtherVPN server).

Paths
/var/tmp/xapt /etc/systemd/system/xapt.service /usr/sbin/xapt

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate incident response protocols for potential espionage; engage legal and communications teams regarding potential PII and telecom data exposure.

DETECT (DE) – Monitoring & Analysis

Command
Deploy SIEM queries for anomalous outbound HTTPS connections to sheets.googleapis.com containing /batchClear/, /batchUpdate/, or /valueRenderOption=FORMULA/ originating from non-browser processes.

Command
Alert on file creation or modification events matching the regex /^(\/usr\/sbin|\/sbin|\/var\/tmp)\/[^\\\/]+\.cfg$/.

RESPOND (RS) – Mitigation & Containment

Command
Isolate any CentOS/Linux endpoint exhibiting xapt execution spawning a shell from /var/tmp/.

Command
Revoke all compromised or suspicious Google Service Accounts immediately.

RECOVER (RC) – Restoration & Trust

Command
Rebuild compromised Linux servers from known-good gold images; do not attempt in-place eradication of root-level backdoors.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Audit and strictly limit egress traffic from critical telecom infrastructure servers; enforce explicit proxying and TLS inspection where legally permissible.

Remediation - THE HOME USER TRACK (Safety Focus)

Note
Based on the Environmental Reality Check, this specific threat targets Enterprise Linux servers, making the immediate threat to home users Theoretical/Low. Standard safety guidelines apply.

Priority 1: Safety

Command
No immediate disconnection required for home Windows/macOS devices.

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords and enable multi-factor authentication (MFA) on your telecom provider accounts and Google Workspace identities using a known clean device.

Priority 3: Persistence

Command
Monitor personal cloud application settings for any unauthorized API access, third-party app linkages, or unexpected Service Accounts.

Hardening & References

Baseline
CIS Benchmarks for CentOS/Red Hat Enterprise Linux.

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

Google Cloud Blog Mandiant Threat Intelligence

BleepingComputer
Click to expand...
 
  • Like
Reactions: harlan4096

You may also like...