In February 2026, the Google Threat Intelligence Group (GTIG) together with Mandiant and other partners took significant action to dismantle a long-running global cyber espionage campaign. This campaign, which has been active for nearly a decade, focused on infiltrating telecommunications companies and government organizations across dozens of countries.

Who Was Behind the Campaign?

The threat actor driving this operation is tracked by GTIG as UNC2814, a group believed to have links to the People’s Republic of China. The group has been active since at least 2017, conducting highly covert operations around the world, particularly in Africa, Asia, and the Americas.

How the Campaign Worked

UNC2814 didn’t exploit technical bugs in cloud products. Instead, it used legitimate cloud services—particularly Google Sheets API calls—to mask its command-and-control (C2) traffic. This made its communications look normal, blending into everyday cloud usage and helping avoid detection.

A key tool in this campaign was a custom backdoor named GRIDTIDE. GRIDTIDE is a sophisticated piece of malware with several capabilities:

• Execute arbitrary shell commands,
• Upload and download files,
• Communicate through a spreadsheet, where specific cells were used to send and receive data and commands.

Once installed, GRIDTIDE would communicate with a hidden Google Sheet that acted as the attacker’s control server. By periodically polling certain cells in the spreadsheet, the malware could receive instructions and send back results—concealing its presence in legitimate cloud API traffic.

What Google and Partners Did

GTIG and its collaborators carried out a coordinated disruption effort that included:

1. Terminating Google Cloud projects that the threat actors controlled, cutting off their ability to maintain access.
2. Identifying and disabling all known UNC2814 infrastructure, including malicious domains and servers.
3. Disabling attacker accounts and revoking API access the group was using for command and control.
4. Releasing indicators of compromise (IOCs) so that organizations can detect signs of similar activity in their networks.
5. Notifying affected organizations that they may have been compromised.

Scope of the Intrusions

GTIG confirmed that UNC2814 had successfully compromised systems in 53 organizations across 42 countries and suspects that at least 20 more countries were targeted. The group’s focus was mainly on telecommunications companies, though some government entities were also affected.

In at least one confirmed case, the group used GRIDTIDE to access systems containing personally identifiable information (PII) such as:

• Full names
• Phone numbers
• Dates and places of birth
• Voter ID numbers
• National identification numbers

This type of data is highly valuable for cyber espionage because it can be used to track or monitor individuals of interest and – in past campaigns – has been used to exfiltrate telecom call records, SMS messages, and even interact with lawful intercept systems.

Distinct from Other Campaigns

Google’s analysis showed that UNC2814’s methods, targets, and tools are different from those used in other well-known Chinese-linked operations, such as the Salt Typhoon campaign. This suggests GRIDTIDE is a separate and unique threat with its own global impact.

Ongoing Defense Efforts

Even though this specific campaign has been disrupted, GTIG warns that sophisticated threats like UNC2814 will keep evolving. The released IOCs, detection signatures, and deeper insights from this investigation are designed to help organizations everywhere better defend themselves against similar hidden threats in the future.