Google takes down telecom hackers - Historico da BBS TELESC.NET.BR

BBS:      TELESC.NET.BR
Assunto:  Google takes down telecom hackers
De:       Mike Powell
Data:     Fri, 27 Feb 2026 15:21:04 -0500
-----------------------------------------------------------
Google takes down telecom hackers using Sheets and SaaS apps to spread mayhem

By Sead Fadilpa?i? published yesterday

A decade-old threat actor is up to some new shenanigans

    Google, Mandiant, and partners disrupted UNC2814 espionage campaign
    Group used GridTide backdoor leveraging Google Sheets API for C2
    Operation hit 53 organizations in 42 countries since 2023; attacker
infrastructure and accounts disabled

Google has managed to take down a global espionage network which targeted
government and telecom organizations in more than 40 countries around the
world.

In a new research report, Google said that its Threat Intelligence Group
(GTIG), together with Mandiant and other partners discovered a Chinese
state-affiliated threat actor tracked as UNC2814 running a new spy campaign.

In this newest campaign, the group was deploying a previously unseen backdoor
malware called GridTide, which leveraged the Google Sheets API for C2
infrastructure. Instead of connecting to a remote server somewhere to receive
instructions and exfiltrate data, the backdoor makes HTTPS requests to
legitimate Google infrastructure, blending with normal enterprise traffic and
thus not raising any alarms.

Disrupting the attackers

All of the commands are stored in a spreadsheet cell of a document belonging to
the attackers. The operators insert encoded instructions into specific rows or
cells, and the malware then periodically checks, decodes, and executes them.

In some cases, exfiltrated data can also be written back into the sheet -
however, GTIG said it did not observe any instances of data exfiltration.

UNC2814 is a relatively known threat actor, with reports of its activity dating
back to 2017 and possibly before.

The campaign started in 2023 and affected at least 53 organizations in 42
countries. Google suspects that UNC2814 is present in at least 20 more
countries. Most of Latin America, Eastern Europe, Russia, parts of Africa and
parts of South Asia seem to have been hit. With the exception of Portugal,
Western Europe is mostly unscathed. The US was not touched, as well.

As part of the disruption efforts, Google terminated all Google Cloud Projects
the attackers controlled, severing their persistent access to environments
compromised by GridTide. They identified and disabled all known UNC2814
infrastructure, disabled attacker accounts, and revoked access to the Google
Sheets API calls. Finally, it released a set of IoCs linked to UNC2814
infrastructure active since at least 2023.


https://www.techradar.com/pro/security/google-takes-down-telecom-hackers-using-
sheets-and-saas-apps-to-spread-mayhem

$$
--- SBBSecho 3.28-Linux
 * Origin: Capitol City Online (1:2320/105)

-----------------------------------------------------------
[Voltar]