The Spreadsheet Spy: How a Decadelong Chinese Espionage Campaign Hijacked Google Sheets to Bypass Global Defenses

An international cyber-espionage campaign that languished in the shadows for a decade has abruptly surfaced across dozens of sovereign nations. Google, in collaboration with Mandiant, has announced the disruption of a monumental operation orchestrated by the China-linked collective UNC2814. These surgical strikes primarily besieged telecommunications giants and government entities on a global scale.

According to Google Threat Intelligence, the investigation substantiated 53 distinct breaches across 42 countries, with traces of activity identified in at least 20 additional states. Although the group has been operational for at least ten years—and monitored by Google since 2017—analysts emphasize that UNC2814 maintains an identity distinct from the previously documented Salt Typhoon campaign, employing entirely different methodologies.

The centerpiece of their arsenal is a hitherto clandestine malicious module dubbed GRIDTIDE. This sophisticated backdoor, forged in C, empowers adversaries to execute arbitrary commands and facilitate bidirectional file transfers on compromised hosts. The command-and-control (C2) mechanism was particularly ingenious; rather than utilizing conventional rogue servers, the attackers subverted Google Sheets as a covert communication conduit. The malware dispatched and retrieved directives via API calls, effectively camouflaging its malicious traffic as routine interaction with cloud productivity tools.

Crucially, the attackers did not exploit vulnerabilities within Google’s software; instead, they misappropriated the legitimate functionalities of the cloud infrastructure. To security monitors, the traffic appeared as standard, innocuous requests to the spreadsheet service, rendering detection exceptionally difficult.

The investigation was catalyzed by an ominous signal on a CentOS server, where analysts unearthed a suspicious executable disguised as /var/tmp/xapt. This binary initiated a root shell and performed a diagnostic check to confirm total system dominance. The nomenclature “xapt” was a deliberate deception, intended to mimic the legitimate “apt” system utility found in Debian-based distributions.

Upon entrenching themselves within a network, the actors moved laterally via SSH, escalated their privileges, and established persistence for GRIDTIDE through system services. For encrypted outbound connections, they deployed SoftEther VPN Bridge, utilizing infrastructure that configuration data suggest has been active since 2018.

In one instance, the malicious code was positioned on a node harboring sensitive personal identifiable information (PII), including full names, telephone numbers, birth details, national identification numbers, and voter registration data. Such a profound interest in granular personal data is indicative of telecommunications espionage, which historically culminates in the theft of call records, the interception of unencrypted SMS, and the subversion of lawful intercept systems.

The operational logic of GRIDTIDE was methodical. Upon execution, it would purge the initial rows of the target spreadsheet to erase previous directives, harvest system telemetry—such as usernames, OS parameters, and local IP addresses—and record this data within a specific cell. Commands were ingested through a single designated cell, while exfiltrated data was dispersed across a range of others, with all content obscured via a modified Base64 encoding scheme.

In response to these findings, Google has deactivated all cloud projects under the adversaries’ dominion, severing their persistent access to compromised environments. In tandem with global partners, the corporation has dismantled the known infrastructure of UNC2814 and seized the associated domains. The attackers’ accounts and their access to the Google Sheets C2 interface have been annulled, and compromised organizations have been formally notified.

Furthermore, a comprehensive set of indicators of compromise (IoCs) dating back to 2023 has been disseminated. Google posits that while such an expansive network of access was the product of years of cultivation—and will be difficult to reconstruct swiftly—UNC2814 will undoubtedly attempt to re-establish its digital presence.