There is a certain grim ingenuity in hiding a global espionage operation inside a spreadsheet. Yet that is precisely what a suspected Chinese government-linked hacking group, tracked by Google as UNC2814, managed to do for years, burrowing into telecommunications providers and government agencies across four continents while routing their covert instructions through one of the most mundane tools in the modern office: Google Sheets.
Google's Threat Intelligence Group (GTIG), working alongside Mandiant and unnamed industry partners, announced on Wednesday that it had dismantled UNC2814's operational infrastructure after confirming the scale of the campaign was far larger than initially understood. As of 18 February, the investigation confirmed that UNC2814 had impacted 53 victims in 42 countries across four continents, with suspected infections identified in at least 20 more countries. Google described UNC2814 as one of the "most far-reaching, impactful campaigns" its teams had encountered in recent years.
The centrepiece of the operation was a custom-built piece of malware Mandiant has named GRIDTIDE. GRIDTIDE is a sophisticated C-based backdoor capable of executing arbitrary shell commands and transferring files; it treats a Google Sheets document not as a document at all, but as a communication channel for passing raw data and instructions. The elegance of the approach, from an attacker's perspective, is that traffic to Google's servers looks entirely routine to most enterprise security tools. As one security researcher put it, the backdoor's abuse of legitimate API calls to function as its command-and-control channel allows it to "slip past the triggers defenders rely on" by hiding inside the same cloud application patterns that security teams are accustomed to seeing.
The technical execution was methodical. A binary named xapt, designed to masquerade as the apt package manager on Debian-based Linux systems, had already escalated to root and was running shell commands to confirm its access level before investigators detected it. After gaining that foothold, the actors moved laterally via SSH, used living-off-the-land binaries for reconnaissance, and installed the GRIDTIDE backdoor for persistence via a systemd service, launching it with a command that kept it running even after the session closed. SoftEther VPN Bridge was then deployed to establish an outbound encrypted connection to an external address, with configuration metadata suggesting this particular infrastructure had been in use since July 2018.
The question of intent is where the intelligence picture sharpens considerably. The attackers planted GRIDTIDE on endpoints holding personally identifiable information including full names, phone numbers, dates of birth, voter IDs and national ID numbers; Google assessed this targeting was consistent with cyber-espionage activity in telecommunications primarily aimed at identifying, tracking and monitoring persons of interest. GTIG tech lead Dan Perez told The Register that previous PRC-nexus espionage intrusions against telcos had targeted individuals and organisations for surveillance efforts, particularly dissidents and activists as well as traditional espionage targets, and that the access UNC2814 achieved would likely enable exactly this kind of operation.
For Australian readers, it would be tempting to treat this as a story about distant networks. It is not. Australia's spy chief warned in November 2025 that hackers working for China's government and military had probed the country's telecommunications network and key infrastructure. ASIO Director-General Mike Burgess stated specifically that Salt Typhoon had "been probing our telecommunication networks here in Australia too." While UNC2814 is a separate and distinct group, the broader pattern is unmistakable: Beijing-linked actors are systematically probing the telecommunications infrastructure of governments aligned with Washington, and Australia sits squarely in that category. Burgess estimated that espionage had cost Australia $12.5 billion in a single year, including $2 billion in stolen trade secrets and intellectual property.
It is worth being precise about what GTIG did and did not find. While no direct exfiltration was observed during this particular campaign, UNC2814 could have leveraged such access to monitor communications, including call records and SMS messages, for surveillance and intelligence-gathering purposes. Google was also careful to note that UNC2814 has no observed overlaps with the activity publicly reported as Salt Typhoon, targeting different victims globally using distinct tactics, techniques and procedures. That distinction matters operationally: defenders hunting one group's infrastructure cannot assume they will catch the other.
From a national security perspective, the GRIDTIDE campaign illustrates a strategic tension that Australian policymakers have been slow to fully confront. The private sector, in this case Google, detected and disrupted a state-sponsored espionage campaign that governments likely would not have caught in time on their own. The company terminated all attacker-controlled Cloud Projects, working with partners to identify and disable known UNC2814 infrastructure, including sinkholing both current and historical domains used by the group. Google also released indicators of compromise associated with infrastructure the group had been using since 2023 and provided search queries that cloud security customers could use to scan for potential compromises. This kind of public-private threat disruption is increasingly the front line of national cyber defence.
Critics of this arrangement raise legitimate points. Relying on a single American technology company to police the infrastructure of a Chinese espionage operation spanning four continents creates its own accountability questions. Who sets the terms of engagement? What obligation does Google have to share intelligence with affected governments before acting, or to preserve forensic evidence in ways that could support legal or diplomatic responses? The Australian Signals Directorate and its partners in the Australian Security Intelligence Organisation have deep expertise in these matters, but the public record offers little visibility into how closely they coordinate with companies like Google when campaigns of this nature are detected and disrupted.
Google itself warned that while the infrastructure takedown significantly degrades UNC2814's current capabilities, the group is likely to attempt to re-establish its global foothold. GTIG assessed the actor will probably attempt to reconstitute operations using new cloud accounts and alternate SaaS platforms. The tools will change; the intent will not. For Australia's telecommunications sector and its government agencies, the practical implication is that monitoring for anomalous cloud API usage and auditing service account permissions are no longer optional hygiene measures. They are baseline requirements in an era when a spreadsheet can be a weapon.
The UNC2814 disruption is, in one sense, a success story: a threat was identified, industry partners acted, and 53 victim organisations were notified. But the same disclosure reveals that a sophisticated adversary operated undetected across 42 countries for years, and that its full reach almost certainly extends further. Reasonable people can debate how much of the credit belongs to Google's commercial threat intelligence apparatus versus the collective investment of Five Eyes governments in signals capability and cyber resilience. What is harder to debate is the conclusion: the telecommunications networks that carry Australian private and government communications are a persistent target, and the defences protecting them need to be commensurate with that reality.