• Chinese cyberspies breached dozens of telecom firms, govt agencies February 25, 2026 12:00 PM 0 Google’s Threat Intelligence Group (GTIG), Mandiant, and partners disrupted a global espionage campaign attributed to a suspected Chinese threat actor that used SaaS API calls to hide malicious traffic in attacks targeting telecom and government networks • The campaign has been active since at least 2023 and has impacted 53 organizations in 42 countries, with suspected infections in at least 20 more countries • The initial access vector is unknown, but the researchers note that the threat actor, which Google tracks internally as UNC2814, has previously gained access by exploiting flaws in web servers and edge systems • Google says that in the recently disrupted campaign, the actor deployed a new C-based backdoor named ‘GRIDTIDE,’ which abuses the Google Sheets API for evasive command-and-control (C2) operations • GRIDTIDE authenticates to a Google Service Account using a hardcoded private key, and upon launch, it sanitizes the spreadsheet by deleting rows 1-1000 and columns from A to Z • It then performs host reconnaissance, collecting the username, hostname, OS details, local IP, locale, and

Article Summaries:

  • Google’s Threat Intelligence Group (GTIG), Mandiant, and partners disrupted a global espionage campaign attributed to a suspected Chinese threat actor that used SaaS API calls to hide malicious traffic in attacks targeting telecom and government networks. The campaign has been active since at least 2023 and has impacted 53 organizations in 42 countries, with suspected infections in at least 20 more countries. The initial access vector is unknown, but the researchers note that the threat actor, which Google tracks internally as UNC2814, has previously gained access by exploiting flaws in web se

Sources: