The scale of the operation was striking. A Chinese-linked hacking group quietly penetrated 53 organisations across 42 countries over nearly a decade, using a tool as ordinary as Google Sheets to hide its tracks. On Wednesday, Google announced it had disrupted that network, terminating the cloud projects, disabling the internet infrastructure, and shutting down the accounts the group had relied on to conduct what one Google analyst described as a vast global surveillance apparatus.
The group, known in threat intelligence circles as UNC2814 or Gallium, has a history stretching back roughly nine years, with a focus on government agencies and telecommunications companies. Google shared its findings exclusively with Reuters ahead of publication.
John Hultquist, chief analyst with Google Threat Intelligence Group, put it plainly: "This was a vast surveillance apparatus used to spy on people and organisations throughout the world." His colleague Charley Snyder confirmed the group had verified access in 53 entities, with potential reach into at least 22 additional countries at the moment Google moved to shut the operation down.
The method the group used to avoid detection is worth understanding. By routing its targeting and data theft operations through Google Sheets, Gallium was able to blend its malicious traffic into the kind of everyday cloud activity that security filters routinely ignore. Google was careful to clarify this was not a compromise of any Google product; the attackers were simply exploiting the trusted reputation of a widely used platform as camouflage.
In at least one confirmed breach, the group installed a backdoor that Google's researchers have named GRIDTIDE on a system holding highly sensitive personal records: full names, phone numbers, dates of birth, places of birth, voter identification numbers, and national ID numbers. The breadth of that data points to an operation less interested in financial gain and more focused on identifying and tracking specific individuals.
Snyder indicated the group's methods aligned with well-documented patterns of state-adjacent cyber espionage. "Similar campaigns have been used to exfiltrate call data records, monitor SMS messages, and to even monitor targeted individuals through the telco's lawful intercept capabilities," he said. In plain terms, that means governments or affiliated actors potentially using a carrier's own legal interception systems against the people those systems are supposed to protect.
A Separate Campaign, But a Familiar Pattern
Google was explicit that Gallium's activity is distinct from Salt Typhoon, the separate Chinese hacking campaign that the US government has linked to hundreds of breached American organisations and several prominent political figures. The fact that two significant Chinese-attributed hacking operations are now publicly identified running in parallel raises questions about the overall scale of state-sponsored cyber activity, and the degree to which Western governments and their partners have visibility over it.
The Australian Signals Directorate has previously warned Australian organisations about the threat posed by state-sponsored actors targeting critical infrastructure and government systems. Telecommunications companies in particular have been flagged as high-value targets given the intelligence value of the data they hold.
China's embassy in Washington offered a rebuttal through spokesperson Liu Pengyu, who said Beijing "consistently opposes and combats hacking activities in accordance with the law" and rejected what he characterised as attempts to use cybersecurity issues to "smear or slander China." The statement called for dialogue and cooperation rather than attribution and blame. It is a response consistent with Beijing's long-standing position on such allegations, and one that neither confirms nor meaningfully addresses the technical evidence Google presented.
What This Means Beyond the Headlines
For policymakers and business leaders, the Gallium case highlights a persistent tension in the cybersecurity debate. On one side, there is a legitimate argument that naming and disrupting state-linked hacking groups is essential for accountability, deters future attacks, and gives organisations the specific threat intelligence they need to defend themselves. The Australian Cyber Security Centre has taken a similarly active posture in recent years, issuing joint advisories with Five Eyes partners on Chinese and Russian cyber threats.
On the other side, critics of aggressive public attribution argue it risks diplomatic escalation without always producing the behavioural change it seeks. No major state actor has materially curtailed its cyber operations in response to public exposure alone. The disruption Google executed this week is operationally significant, but the underlying capability, and the intent behind it, almost certainly remains intact.
Strip away the technical detail and the core issue is straightforward: a hacking group with apparent ties to a foreign government spent the better part of a decade quietly collecting sensitive personal data on people in dozens of countries. Private sector companies are now doing much of the work that governments struggle to execute at speed. That is genuinely useful, and it deserves recognition. Whether it amounts to a lasting deterrent is a harder question, and one that reasonable analysts continue to disagree on. What the Gallium disruption does confirm is that the threat is real, global, and ongoing. For Australian organisations in the government, telecommunications, and critical infrastructure sectors, that is the message that matters most.