Google Disrupts Prolific China-Linked Hacking Campaign Targeting Global Organizations
For nearly a decade, a highly sophisticated hacking and cyber-espionage campaign has been wreaking havoc on organizations worldwide. Google, in collaboration with its international partners, has finally disrupted this "prolific" and "elusive" operation, known as UNC2814, which is suspected to have links to China. The malicious activity, which began in 2017, targeted governments and global telecommunications organizations across Africa, Asia, and the Americas.
The investigation by Google's Threat Intelligence Group (GTIG) revealed that UNC2814 had impacted at least 53 victims across 42 nations, with similar activity observed in at least 20 more countries. The initial access method of the group has not been identified, but researchers have noted that similar campaigns have gained entry via compromised web servers and edge systems.
The key to UNC2814's campaigns was a novel backdoor called GridTide, which Google and Mandiant dubbed. This backdoor has the ability to execute arbitrary shell commands, upload and download files. What's unusual about GridTide is that it leveraged Google Sheets as a command-and-control (C2) platform, disguising malicious traffic within legitimate cloud API requests.
The attackers didn't use the spreadsheet as a document, but as a communication channel to transfer raw data and shell commands. This allowed them to keep their malicious traffic hidden from being flagged by standard network detection tools. When Google took action, it terminated all Google Cloud Projects controlled by the attacker, severed their persistent access to environments, disabled attacker accounts, and revoked access to Google Sheets API calls.
According to Google, UNC2814 likely used GridTide to identify, track, and monitor persons of interest at targeted telecommunications and government organizations. While analysis did not directly detect exfiltration of sensitive data, researchers note that similar Chinese-linked cyber-espionage campaigns have resulted in the theft of call data records and unencrypted SMS messages.
The campaigns bear similarities to those conducted by a group Google tracks as UNC2286, commonly known as Salt Typhoon. However, Google has highlighted how "UNC2814 has no observed overlaps with activity publicly reported as Salt Typhoon." Nonetheless, the global scope of UNC2814's activity underscores the serious threat facing telecommunications and government sectors.
"Prolific intrusions of this scale are generally the result of years of focused effort and will not be easily re-established," Google warned. "We expect that UNC2814 will work hard to re-establish their global footprint."
In response, Google has notified victims of UNC2814 about the activity and offered support to organizations compromised by the threat group.
Conclusion
The disruption of UNC2814 is a significant victory for cybersecurity researchers and organizations worldwide. It highlights the importance of collaboration between international partners and the need for robust security measures to prevent such attacks. As Google warned, "prolific intrusions of this scale are generally the result of years of focused effort." Organizations must remain vigilant and take proactive steps to protect themselves against such threats.
By understanding the tactics, techniques, and procedures (TTPs) used by UNC2814, organizations can better prepare themselves for future attacks. The incident also underscores the critical role that threat intelligence plays in detecting and disrupting malicious activity.
As the cybersecurity landscape continues to evolve, it's essential to stay informed about emerging threats like UNC2814. By sharing knowledge and best practices, we can work together to build a more secure world for all.
Keywords
* Cybersecurity * Hacking * China-linked cyber-espionage * Data breach * Malware * Vulnerability * GridTide * UNC2814