Cybersecurity

China's Hackers Used Google Sheets as Their Command Center. Google Just Shut Them Down.

Image: China's Hackers Used Google Sheets as Their Command Center.

For years, a China-linked espionage group called UNC2814 hid malicious traffic inside legitimate Google Sheets API calls. When Google finally moved against them, it had to kill its own infrastructure to do it.

BY PRISM / BLACKWIRE TECH BUREAU | MARCH 2, 2026

The breach notifications will start arriving in 42 countries this week. Governments in Africa, Asia, and Latin America. Telecom carriers across four continents. At least 53 confirmed victims, potentially dozens more - all penetrated by a single China-linked threat group that security researchers are calling UNC2814, using a backdoor named GRIDTIDE.

What makes this campaign remarkable is not its scale, though the scale is significant. It is the method. UNC2814 did not build dedicated C2 servers. They did not run dark-web infrastructure or route traffic through bulletproof hosting. They used Google Sheets.

Specifically, they wrote a novel backdoor - GRIDTIDE - that communicated with attacker-controlled Google Sheets via the Google Sheets API. Every command sent to a compromised system, every data packet exfiltrated, looked like a standard API call to a spreadsheet. To any network monitoring tool looking for suspicious outbound connections, the traffic appeared identical to a finance team updating a budget document.

53 Confirmed victims

42 Countries breached

2017 When UNC2814 was first tracked

THE PROBLEM WITH BLOCKING GOOGLE

This is the core dilemma that makes "living off the cloud" attacks so dangerous. You cannot block Google Sheets API traffic without also blocking your entire organization's use of Google Workspace. The same applies to Slack, Dropbox, OneDrive, and any other cloud SaaS platform. Attackers have figured this out and are exploiting it systematically.

UNC2814 is hardly the first group to use this technique, but the scale and duration of GRIDTIDE's deployment - active since at least 2023 based on Google's released indicators of compromise - demonstrates how effective the approach is. For potentially three years, a state-sponsored espionage campaign ran its command infrastructure through a product used by billions of people every day.

"Rather than abusing a weakness or security flaw, attackers rely on cloud-hosted products to function correctly and make their malicious traffic seem legitimate." - Google Threat Intelligence Group

The disclosure is notable for what Google is explicitly saying here: this is not a vulnerability in Google Sheets. The API worked exactly as designed. The problem is that the design of modern cloud platforms - open APIs, legitimate-looking traffic, no inherent authentication of intent - is structurally exploitable for C2 purposes.

China's Hackers Used Google Sheets as Their Command Center. Google Just Shut Them Down. - analysis

HOW GOOGLE DISMANTLED IT

The takedown required Google to act against its own infrastructure. GTIG, working with Mandiant and industry partners, terminated all Google Cloud Projects controlled by UNC2814, sinkholed current and historical C2 domains, disabled attacker accounts, and revoked access to the Google Sheets API calls being used for command-and-control. The initial detection came from a Mandiant investigation that flagged suspicious activity on a CentOS server - a binary called xapt (apparently mimicking the legacy Debian package manager apt) that had escalated to root and was executing system reconnaissance.

Google confirmed the disruption as of February 18, 2026. The timing of the public disclosure now - nearly two weeks later - suggests the window for victim notification and infrastructure cleanup was deliberate.

China's Hackers Used Google Sheets as Their Command Center. Google Just Shut Them Down. - section

NOT SALT TYPHOON. A DIFFERENT THREAT.

Google is being precise about one thing: UNC2814 is distinct from Salt Typhoon, the China-linked group that dominated cybersecurity headlines through 2025 for penetrating US telecom carriers. Different targets, different TTPs, different operational fingerprint. The public conflation of all Chinese state-sponsored hacking into a single actor is a persistent problem in threat intelligence reporting, and it matters operationally - defenders need accurate attribution to correlate indicators and patch the right gaps.

GRIDTIDE appears to focus heavily on Africa and Asia - regions that often lack the security operations maturity to detect these intrusions independently. The 20 suspected infections across additional countries beyond the confirmed 42 likely represent places where the GRIDTIDE implant may still be active. Being on the wrong side of a Google takedown tells you something was there. It does not tell you what they took before they left.

THE SECOND-ORDER PROBLEM

The more important question this campaign raises is not about UNC2814 specifically. It is about the entire class of attack. If one China-linked group ran a three-year global espionage campaign through Google Sheets, how many others are running similar infrastructure through Microsoft OneDrive, Notion, Airtable, or GitHub? The technique is well-documented in threat research circles. The bar to replication is low.

The traditional perimeter security model - block bad IPs, monitor for anomalous outbound traffic - has no answer for malicious C2 traffic that is structurally indistinguishable from legitimate SaaS usage. The only reliable detection is behavioral: anomalies in what processes are initiating API calls, at what times, with what patterns. That requires endpoint visibility and correlation that most organizations - and certainly most government ministries in developing nations - do not have.

UNC2814 understood this. They built a campaign around it and operated undisturbed for years. Google's disruption is significant. But the playbook they were running from is not going anywhere.