analyst@nohacky:~/threat-actors$
cat/threat-actors/unc2814
analyst@nohacky:~/threat-actors/unc2814.html
active threatprofile
typeAPT / Nation-State
threat_levelHigh
statusActive (Disrupted)
originChina (PRC-nexus)
last_updated2026-03-26
UC
unc2814

UNC2814

also known as: UNC2814 (Mandiant designation)
A suspected Chinese state-linked espionage group that weaponized Google Sheets as covert command-and-control infrastructure, operating undetected across 42 countries for nearly a decade. UNC2814 deployed the novel GRIDTIDE backdoor against telecommunications providers and government organizations on four continents, treating cloud spreadsheets not as documents but as bidirectional communication channels for transferring raw data and shell commands. In February 2026, Google's Threat Intelligence Group and Mandiant coordinated a disruption that severed the group's access — but the scale and duration of the campaign demonstrated how effectively trusted cloud services can be abused to evade detection.
attributed originChina (PRC-nexus)
suspected sponsorState-linked (unattributed bureau)
first observed~2017 (infra since 2018)
primary motivationSignals intelligence / espionage
primary targetsTelecoms, Government
confirmed victims53 orgs / 42 countries
mitre att&ck groupUnassigned
target regionsAfrica, Asia, Americas, Europe
threat levelHIGH

Overview

UNC2814 is a suspected PRC-nexus threat actor that Google's Threat Intelligence Group (GTIG) has tracked since 2017. The group is characterized by its patient, methodical tradecraft and a signature capability that distinguishes it from other Chinese espionage clusters: the abuse of legitimate cloud-based spreadsheet services as command-and-control infrastructure.

The group's defining innovation is GRIDTIDE, a C-based backdoor that uses Google Sheets as its primary C2 platform. Rather than relying on traditional malicious domains or IP-based infrastructure that network defenders can blocklist, GRIDTIDE communicates through the Google Sheets API — making its traffic indistinguishable from normal cloud usage at the network layer. The backdoor polls a specific spreadsheet cell (A1) every second for new commands, writes status responses back to the same cell, and uses additional cells (A2-An) for data transfer. At the start of each session, it wipes the first 1,000 rows to erase traces of prior activity.

As of February 2026, GTIG confirmed that UNC2814 had compromised 53 organizations in 42 countries across four continents, with suspected infections in at least 20 more. The group primarily targeted telecommunications providers globally, with additional focus on government organizations. On compromised systems, investigators found the group targeting highly sensitive PII including full names, phone numbers, dates of birth, voter IDs, and national ID numbers — data consistent with surveillance operations designed to identify, track, and monitor persons of interest.

It is important to note that UNC2814 has no observed overlap with Salt Typhoon. Despite both groups targeting telecommunications infrastructure, they operate with distinct tooling, different victim sets, and separate operational infrastructure.

warning

While Google's February 2026 disruption severed GRIDTIDE's C2 access, researchers note that GRIDTIDE's architecture is platform-agnostic — the backdoor can be adapted to use any cloud-based spreadsheet service. GTIG expects the group will work to rebuild its global footprint.

Target Profile

UNC2814 focuses on two primary sectors, both aligned with signals intelligence collection priorities.

  • Telecommunications providers: The primary target worldwide. Access to telecom infrastructure enables the surveillance of call data records, subscriber information, and communications metadata — the raw material for identifying and tracking persons of interest without ever touching their devices directly.
  • Government organizations: Targeted alongside telecoms, particularly in Africa, Asia, and the Americas. GRIDTIDE was deployed on endpoints containing PII including voter IDs and national identification numbers, indicating the group was building dossiers on specific individuals.
  • Geographic scope: Confirmed victims span 42 countries across four continents, with suspected infections in 20+ additional nations. The breadth of targeting indicates a standing global intelligence collection mission rather than campaign-specific operations.

Tactics, Techniques & Procedures

mitre idtechniquedescription
T1190Exploit Public-Facing ApplicationHistorical initial access via compromised web servers and edge systems. Specific vulnerability exploited in this campaign was not identified by GTIG.
T1102Web Service (Cloud C2)Signature technique. GRIDTIDE uses Google Sheets API as C2, authenticating via Google Service Accounts. Cell-based polling mechanism with bidirectional communication through spreadsheet cells.
T1021.004SSH Lateral MovementPost-compromise lateral movement via SSH across victim environments. Reconnaissance and privilege escalation conducted through SSH sessions.
T1572Protocol TunnelingDeployed SoftEther VPN Bridge to establish outbound encrypted tunnels to external infrastructure. VPN metadata indicates this specific infrastructure has been active since July 2018.
T1573Encrypted ChannelGRIDTIDE uses AES-128 in CBC mode to decrypt its Google Drive configuration data, including the service account credentials and spreadsheet ID used for C2.
T1082System Information DiscoveryGRIDTIDE performs host-based reconnaissance upon deployment, collecting machine details, user info, and network environment data, which is exfiltrated to cell V1 of the C2 spreadsheet.
T1005Data from Local SystemTargeted collection of PII from compromised endpoints including names, phone numbers, dates of birth, voter IDs, and national identification numbers.

Known Campaigns

GRIDTIDE Global Espionage Campaign2017–2026

Nearly decade-long campaign targeting telecommunications providers and government organizations across four continents. 53 confirmed victims in 42 countries. Deployed GRIDTIDE backdoor communicating via Google Sheets API and SoftEther VPN for encrypted tunneling. Disrupted by Google, Mandiant, and industry partners in February 2026 through coordinated infrastructure takedown, account disabling, and domain sinkholing.

Read NoHacky briefing

Tools & Malware

UNC2814's operational toolkit is lean but highly effective, designed around stealth and persistence in enterprise cloud environments.

  • GRIDTIDE: Novel C-based backdoor using Google Sheets as its C2 platform. Executes arbitrary shell commands, uploads and downloads files. Uses AES-128-CBC to decrypt stored configuration containing Google Service Account credentials. Polls the C2 spreadsheet every second for commands, writes results back to cells, and wipes 1,000 rows at session start to erase evidence. Deployed via the command nohup ./xapt to survive session termination.
  • SoftEther VPN Bridge: Deployed after initial access to establish outbound encrypted connections to external attacker infrastructure. VPN metadata indicates use of this specific infrastructure since at least July 2018.
  • Living-off-the-land tooling: Post-compromise operations rely heavily on native SSH utilities, standard reconnaissance commands, and legitimate system tools to minimize the deployment of custom malware artifacts.

Mitigation & Defense

Defending against UNC2814 requires rethinking assumptions about trusted cloud traffic.

  • Monitor cloud API usage from servers: GRIDTIDE's C2 traffic looks like normal Google Sheets API calls. Detect anomalies by alerting on Google Sheets API access from non-user endpoints, server processes, or systems that have no business reason to interact with spreadsheet services.
  • Restrict Google Service Account creation: GRIDTIDE authenticates using attacker-controlled Google Service Accounts. Restrict which accounts can create and authorize service accounts within your Google Workspace environment.
  • Monitor for SoftEther VPN: Detect SoftEther VPN Bridge deployment on endpoints where it is not an approved tool. Look for unexpected outbound encrypted connections to infrastructure outside your normal business scope.
  • Hunt for PII staging: UNC2814 targets endpoints containing PII. Monitor for unusual file access patterns on systems storing sensitive identity data — particularly mass reads of voter records, national ID databases, or subscriber information.
  • Patch edge devices and web servers: While the specific initial access vector was not determined, UNC2814 has a history of compromising web servers and edge systems. Maintain aggressive patch cadence on all internet-facing infrastructure.
  • Use Google's published IOCs: GTIG released indicators of compromise linked to UNC2814 infrastructure active since 2023. Scan environments using the published hashes, IPs, and domains through Google Threat Intelligence.
analyst note

GTIG explicitly noted that UNC2814 has no observed overlap with Salt Typhoon (UNC2286), despite both groups targeting telecommunications infrastructure. They use different TTPs, target different victim sets, and operate separate infrastructure. This distinction matters for defenders: incident response procedures, hunting queries, and IOCs from one campaign should not be applied to the other without independent verification. The simultaneous existence of multiple PRC-nexus groups targeting telecoms indicates this is a strategic intelligence priority being pursued through parallel, independent operations.

Sources & Further Reading

— end of profile