Chinese Spies Turn Google Sheets Into Command-and-Control Infrastructure for Global Espionage Campaign

In what may be one of the most creative abuses of legitimate cloud services yet discovered, Chinese state-sponsored hackers have been using Google Sheets as command-and-control (C2) infrastructure to coordinate a global espionage campaign spanning four continents. Google's Threat Intelligence Group (GTIG), working with unnamed industry partners, has successfully disrupted the operation attributed to UNC2814, a Beijing-linked advanced persistent threat (APT) group that has been active since at least 2017.

The campaign demonstrates the evolving sophistication of nation-state threat actors who increasingly weaponize trusted SaaS platforms to evade traditional detection mechanisms. When your C2 traffic looks like routine API calls to Google Sheets, it becomes significantly harder for defenders to distinguish malicious activity from legitimate business operations.

The Scale: 53 Confirmed Victims Across 42 Countries

The scope of this espionage operation is staggering. As of February 18, 2026, GTIG's investigation confirmed:

• 53 confirmed victims in 42 countries across four continents
• At least 20 additional countries with suspected infections
• Primary targets: Telecommunications companies and government organizations
• Geographic spread: Americas, Asia, Africa, and likely other regions
• Active infrastructure dating back to July 2018

The victims span critical sectors, with telecommunications providers and government agencies representing the bulk of confirmed compromises. This targeting profile is consistent with Chinese intelligence collection priorities focused on strategic communications infrastructure and government networks.

Notably, GTIG confirmed that UNC2814 has no observed overlap with Salt Typhoon, the separate Beijing-backed group responsible for the massive breach of America's major telecommunications firms that began in 2019 and compromised data belonging to nearly every American. This suggests China is running multiple concurrent espionage operations against global telecom infrastructure using different teams and toolsets.

Meet UNC2814: A Veteran Chinese Espionage Group

UNC2814 has been on GTIG's radar since 2017, though the group's actual operational history may extend further back. The "UNC" designation (short for "uncategorized") indicates that while Google has tracked this cluster of activity for years, it hasn't been definitively merged with other publicly named APT groups.

Historical Tactics, Techniques, and Procedures (TTPs):

• Exploitation of web servers and edge systems for initial access
• Targeting of telecommunications and government sectors
• Focus on long-term persistent access rather than smash-and-grab operations
• Use of living-off-the-land techniques and legitimate tools to evade detection

The group's shift to using Google Sheets for C2 represents a tactical evolution consistent with broader trends in Chinese APT operations: increasingly sophisticated operational security and abuse of trusted cloud platforms to hide in plain sight.

The Technical Innovation: Weaponizing Google Sheets

The centerpiece of this campaign is Gridtide, a novel backdoor specifically designed to abuse Google Sheets API functionality for command-and-control purposes. This approach offers several significant advantages to the attackers:

Why Google Sheets Makes Perfect C2 Infrastructure

1. Trusted Domain
Google.com is whitelisted in virtually every corporate environment. Blocking googleapis.com would break countless legitimate business applications, making it nearly impossible for defenders to block without causing operational chaos.

2. Encrypted Communications
All traffic to Google Sheets uses HTTPS, encrypting the C2 communications by default. Even with deep packet inspection, defenders see only encrypted traffic to a trusted destination.

3. API Rate Limits Are Generous
Google's API quotas for Sheets are designed to support high-volume business use cases, providing plenty of bandwidth for C2 operations without triggering abuse detection.

4. No Hosting Infrastructure Required
The attackers don't need to maintain their own command servers, register domains, or manage SSL certificates. Google provides the infrastructure, and it's completely free for basic use.

5. Difficult to Attribute
Google Sheets can be accessed from anywhere, making it challenging to trace back to specific threat actor infrastructure. The sheets themselves can be created with throw-away accounts and deleted at will.

6. Legitimate API Usage Patterns
Many organizations use Google Sheets APIs for automation, reporting, and data integration. The Gridtide backdoor's traffic blends seamlessly with this legitimate activity.

The Attack Chain: From Initial Access to Data Theft

While GTIG couldn't determine the exact initial access vector for this specific campaign, the attack chain unfolded as follows:

Stage 1: Initial Compromise

Based on UNC2814's historical behavior, the group likely gained initial access by exploiting vulnerable web servers or edge systems—internet-facing infrastructure that's difficult to patch quickly and often overlooked by security teams.

Stage 2: Discovery and Reconnaissance

Once inside the victim environment, Mandiant researchers observed the attackers conducting reconnaissance activities. A suspicious binary, /var/tmp/xapt, was discovered initiating a shell with root privileges and executing commands to retrieve the system's user and group identifiers—confirming successful privilege escalation to root.

The binary name "xapt" is a clever piece of tradecraft. On Debian and Ubuntu systems, apt-get is a ubiquitous package management tool. By naming their payload similarly, the attackers increased their chances of avoiding detection during casual inspection of running processes or file systems. To a system administrator glancing at process lists, "xapt" might look like a legitimate component of the package management system.

Stage 3: Lateral Movement

The attackers moved laterally through victim networks via SSH—a protocol that's both ubiquitous in enterprise environments and difficult to distinguish from legitimate administrative activity when used by an attacker with valid credentials.

Stage 4: Backdoor Deployment

The attackers deployed the Gridtide backdoor using the command nohup ./xapt, which allows the malware to continue running even after the user session closes. The "nohup" (no hang up) command is another living-off-the-land technique, using a standard Unix utility to ensure persistence.

Stage 5: Establishing Persistent Access

After deploying Gridtide, UNC2814 installed SoftEther VPN Bridge to establish an outbound encrypted connection to an external IP address. VPN configuration metadata suggests this specific infrastructure has been in use since July 2018—nearly eight years of operational use of the same infrastructure, indicating significant confidence in its operational security.

This dual-channel approach—Gridtide for lightweight C2 and SoftEther for deeper access—provides both stealth and capability. The VPN tunnel allows the attackers to access internal resources as if they were on the local network, while Gridtide handles task coordination and file transfers through Google's infrastructure.

Stage 6: Targeting Sensitive Data

In the observed incidents, attackers deployed Gridtide on endpoints containing highly sensitive personal information, including:

• Full names
• Phone numbers
• Dates and places of birth
• Voter ID numbers
• National ID numbers

This data is classic counterintelligence material—exactly what you'd need to build profiles of individuals for surveillance, tracking, or targeting operations. In telecommunications environments, this could help identify and track persons of interest, including dissidents, activists, journalists, or government officials.

The Gridtide Backdoor: Technical Breakdown

Gridtide is a C-based backdoor with a focused feature set designed for reliable, stealthy operations:

Core Capabilities:

• Command execution: Can run arbitrary shell commands on compromised systems
• File upload/download: Bi-directional file transfer for exfiltration and tool deployment
• Google Sheets C2: All command-and-control via Google Sheets API calls

The backdoor's relatively simple feature set is a strength, not a weakness. By limiting functionality to essential capabilities and avoiding complex features that might trigger behavioral detection, Gridtide focuses on reliability and stealth.

Google's Disruption: Swift and Comprehensive

Once GTIG identified the campaign, Google moved quickly to dismantle UNC2814's infrastructure:

Actions Taken:

1. Terminated all Google Cloud Projects controlled by UNC2814
2. Disabled all known UNC2814 infrastructure and accounts
3. Revoked access to Google Sheets API calls used by the threat actor
4. Notified all 53 confirmed victims
5. Provided active support to compromised organizations for remediation

This coordinated takedown demonstrates the unique advantage that cloud platform providers have in disrupting threat actors: when your C2 infrastructure is hosted on someone else's platform, they can simply turn it off.

However, it's important to note that this disruption affects only the specific infrastructure and accounts GTIG identified. UNC2814 likely has additional infrastructure not yet discovered, and the group can simply create new Google accounts and sheets to re-establish C2 capabilities. The disruption buys victims time to remediate and forces the attackers to rebuild, but it's not a permanent solution.

What This Means for Defenders

The UNC2814 campaign represents a fundamental challenge for modern cybersecurity: how do you detect malicious use of legitimate services?

The SaaS Security Dilemma

Traditional security controls focus on blocking known-bad indicators—malicious domains, suspicious IP addresses, known malware signatures. But when threat actors use legitimate services like Google Sheets, these controls become ineffective.

The Problem:

• You can't block Google Sheets without breaking legitimate business processes
• Encrypted HTTPS traffic to googleapis.com reveals nothing about the content
• API calls to Sheets are indistinguishable from legitimate automation
• Behavioral anomalies are hard to detect when many users access Sheets programmatically

The Solution (Partial): Defenders need to shift from perimeter-focused security to behavior-based detection:

1. Monitor for unusual access patterns to cloud services from unexpected systems
2. Establish baselines for normal Google Sheets API usage in your environment
3. Focus on endpoint detection rather than network indicators
4. Look for anomalous process execution (like nohup launching unknown binaries)
5. Correlate cloud service access with known-good business processes

Specific Detection Opportunities

Despite the stealth of using Google Sheets for C2, there are still detection opportunities:

Process-Level Indicators:

• Unknown binaries with suspicious names (xapt, etc.) running with elevated privileges
• Use of nohup to background processes
• Unexpected SSH connections originating from non-administrative systems
• Installation of VPN software (like SoftEther) outside of IT-managed processes

Network-Level Indicators:

• Systems that don't normally access Google Sheets API suddenly doing so
• High-frequency API calls to Google Sheets from server systems
• Outbound VPN connections from systems that shouldn't have them
• Long-duration encrypted sessions to unusual external IP addresses

File System Indicators:

• Suspicious binaries in /var/tmp or other temporary directories
• VPN configuration files in unusual locations
• Evidence of privilege escalation attempts
• Unusual SSH key creation or modification

The Broader Trend: SaaS Platforms as APT Infrastructure

UNC2814's use of Google Sheets is part of a broader trend of nation-state actors abusing legitimate cloud services:

Recent Examples:

• Microsoft 365 abuse for email-based C2 and data exfiltration
• Dropbox and OneDrive for file storage and transfer
• GitHub for hosting malware payloads and C2 scripts
• Slack and Discord for real-time C2 communications
• Pastebin and similar services for dead-drop-style C2

The appeal is obvious: these platforms provide free, reliable, and globally accessible infrastructure with built-in encryption and trusted reputation. From an attacker's perspective, it's perfect.

From a defender's perspective, it's a nightmare. How do you defend against threats that use the same tools your business relies on every day?

Lessons for Security Teams

1. Assume Breach

If UNC2814 can compromise 53 organizations across 42 countries without being detected for years, assume they could be in your environment too. Design security controls assuming attackers are already inside.

2. Focus on Anomaly Detection

Since you can't block legitimate services, focus on detecting anomalous use:

• Systems accessing cloud services they normally don't
• Unusual patterns of API usage
• Unexpected data exfiltration volumes
• Behavioral changes in user accounts

3. Segment Your Network

Even if attackers gain initial access, network segmentation can limit their ability to move laterally. Ensure that compromise of one system doesn't automatically grant access to everything else.

4. Monitor Cloud Service Usage

Implement Cloud Access Security Broker (CASB) solutions or equivalent controls to gain visibility into how your organization uses cloud services. Detect when systems or accounts exhibit unusual patterns.

5. Endpoint Detection Is Critical

With attackers using legitimate network protocols and trusted services, endpoint detection and response (EDR) becomes your primary detection mechanism. Focus on behavioral analysis of processes, file system changes, and privilege escalation attempts.

6. Threat Hunting Is Essential

Don't wait for alerts. Proactively hunt for indicators of compromise:

• Unusual binaries in temporary directories
• VPN software on systems that shouldn't have it
• Suspicious SSH usage patterns
• Systems accessing cloud services they normally don't

The Geopolitical Context

This campaign must be understood within the broader context of Chinese cyber espionage efforts:

Telecommunications Targeting: Chinese APT groups have consistently prioritized telecommunications infrastructure, seeking:

• Access to call data records (CDRs) for surveillance
• Ability to intercept communications of specific targets
• Intelligence on network architecture and capabilities
• Strategic positioning for potential future disruption

Government Targeting: Espionage against government entities provides:

• Intelligence on policy deliberations and strategic planning
• Access to diplomatic communications
• Information on law enforcement investigations
• Insight into foreign governments' capabilities and intentions

The "Why Now" Question: The timing of this campaign—using infrastructure dating back to 2018—suggests this is a mature, long-running operation that GTIG only recently discovered and mapped. The public disclosure now likely reflects:

• Sufficient visibility to map the full scope
• Preparation of technical infrastructure for disruption
• Coordination with affected organizations
• Strategic timing for maximum impact on UNC2814's operations

What Happens Next?

Google's disruption of UNC2814's infrastructure provides temporary relief, but this is far from over:

Short-Term (Weeks):

• UNC2814 will create new infrastructure using different accounts and tooling
• Victims will conduct remediation and threat hunting
• Security vendors will update detection rules for Gridtide indicators
• Defenders will increase monitoring of cloud service usage

Medium-Term (Months):

• Other APT groups will adopt similar SaaS abuse tactics
• Cloud providers will develop better abuse detection mechanisms
• Security tools will evolve to detect anomalous cloud service usage
• Organizations will implement more restrictive cloud access policies

Long-Term (Years):

• The cat-and-mouse game between attackers and defenders will continue
• Nation-state actors will find new legitimate services to abuse
• Zero Trust architectures will become essential for defense
• Cloud providers will play an increasingly important role in threat disruption

The Uncomfortable Truth

The UNC2814 campaign reveals an uncomfortable truth about modern cybersecurity: the same cloud services that enable business agility and collaboration also provide perfect infrastructure for nation-state espionage.

There's no simple solution. We can't abandon cloud services, and we can't effectively block access to trusted platforms without breaking critical business processes. The answer lies in better detection, faster response, and a fundamental shift in how we think about security in a cloud-first world.

Google's successful disruption of this campaign demonstrates that cloud platform providers can be powerful allies in fighting nation-state threats. But it also highlights our dependence on those providers' ability and willingness to detect and act against abuse of their platforms.

For security teams defending telecommunications and government networks, the message is clear: the threat is sophisticated, persistent, and increasingly difficult to detect. Traditional security controls are necessary but not sufficient. Success requires a combination of advanced endpoint detection, behavioral analytics, threat hunting, and collaboration with cloud service providers.

UNC2814 will adapt. Other APT groups will adopt similar tactics. The only question is whether defenders can adapt faster.

Sources:

• Google Threat Intelligence Group: "Disrupting GRIDTIDE: Global Espionage Campaign" (February 25, 2026)
• The Register: "Google catches Beijing spies using Sheets to spread espionage across 4 continents" (February 25, 2026)