Google GTIG Disrupts China-Linked APT UNC2814, Halting Attacks on 53 Orgs in 42 Countries
In a significant operation, Google's Threat Intelligence Group (GTIG) has collaborated with industry partners to disrupt the infrastructure of UNC2814, a suspected China-linked Advanced Persistent Threat (APT) group. The operation has effectively halted attacks on at least 53 organizations across 42 countries.
A Global Spy Network: Understanding UNC2814
UNC2814 is believed to be linked to additional infections in more than 20 other nations, making it a highly prolific and elusive threat. Since at least 2017, the group has been active, targeting governments and global telecommunications across Africa, Asia, and the Americas.
A Novel Backdoor: GRIDTIDE
The group leveraged a novel backdoor called GRIDTIDE to execute malicious activity. Rather than exploiting product flaws, UNC2814 used legitimate Google Sheets API functions through GRIDTIDE to disguise malicious traffic as legitimate activity. This sophisticated C-based backdoor allows execution of shell commands, uploads and downloads files, and uses cloud-based spreadsheet platforms for command-and-control.
Malicious Techniques
To maintain persistence, the attackers installed the GRIDTIDE backdoor via a systemd service. They executed GRIDTIDE with nohup ./xapt to keep it running after session closure, and deployed SoftEther VPN Bridge to create an encrypted outbound connection. The malware uses Google Sheets as a command-and-control (C2) channel, hiding malicious traffic within legitimate API requests.
Threat Actor's Objectives
UNC2814 targeted endpoints containing personally identifiable information (names, phone numbers, dates of birth, and national IDs) consistent with telecom-focused cyber espionage. While no direct exfiltration was observed, the group could leverage such access to monitor communications, including call records and SMS messages, for surveillance and intelligence-gathering purposes.
Disruption and Aftermath
Google GTIG disrupted UNC2814's infrastructure, terminating all attacker-controlled Google Cloud Projects and accounts, disabling the backdoor access, and revoking access to Google Sheets API calls. This coordinated action protected affected organizations by halting attacks on 53 organizations across 42 countries.
Indicators of Compromise (IOCs) Released
GTIG refined detection signatures to block GRIDTIDE activity and released indicators of compromise (IOCs) used by UNC2814 since 2023, helping organizations worldwide identify and defend against this threat. The global scope of UNC2814's activity highlights the serious threat facing telecommunications and government sectors.
Conclusion
The successful disruption of UNC2814 by Google GTIG underscores the importance of industry collaboration in combating cyber threats. As APT groups continue to evolve, it is essential for organizations to stay vigilant and implement robust security measures to protect against sophisticated attacks like UNC2814. By sharing IOCs and refining detection signatures, we can collectively enhance our defenses against these threats.