Google Busts Massive China Hacking Operation

China-linked hackers infiltrated telecoms and governments in 42 countries for nearly a decade, exploiting Google tools until American tech giants shut them down—exposing Beijing’s relentless cyber threat to global sovereignty.

Story Snapshot

Google Threat Intelligence Group disrupted UNC2814, a suspected PRC-nexus group active since 2017, breaching 53 organizations across 42 countries.
Hackers used GRIDTIDE Linux backdoor with Google Sheets API for stealthy command-and-control, targeting telecoms and governments for surveillance.
Disruption terminated attacker Cloud projects, revoked API access, and notified victims, halting the campaign but expecting resurgence.
Victims span Africa, Asia, Americas; potential PII exposure like names, phones, IDs raises privacy alarms amid U.S.-China tensions.

Campaign Scope and Tactics

Google Threat Intelligence Group tracked UNC2814 since 2017 as a prolific actor targeting international governments and telecoms in Africa, Asia, and the Americas. The group deployed GRIDTIDE, a novel Linux backdoor enabling remote commands, file transfers, and data exfiltration. Attackers masked communications by abusing Google Sheets API, blending malicious traffic with legitimate SaaS activity to evade detection tools. Initial access occurred via compromised web servers and edge systems, ensuring long-term persistence without compromising Google products.

Disruption Efforts Succeed

Google coordinated with Mandiant and unnamed industry partners in the week before February 25, 2026, to dismantle the operation. Actions included terminating attacker-controlled Google Cloud projects, sinkholing infrastructure, revoking Sheets API access, and releasing indicators of compromise from 2023 onward. GTIG updated detection signatures and notified victims across 53 confirmed organizations in 42 countries, with suspicions in over 20 more. No re-establishment appears yet, though experts anticipate UNC2814’s determined return.

GTIG emphasized the intrusions’ scale, noting they targeted telecommunications for personally identifiable information like names, phone numbers, and IDs, enabling surveillance of communications without observed direct exfiltration. This mirrors broader China-nexus patterns but uses unique tactics distinct from groups like Salt Typhoon.

Geopolitical Implications

The campaign hit entities in nations including Afghanistan, Australia, Belgium, Cambodia, Malaysia, Russia, Vietnam, and the Philippines, spanning South Asia, Africa, Europe, and West Asia. Victims face remediation costs and eroded trust in cloud services. Privacy risks loom for citizens from potential surveillance data. Politically, the exposure heightens U.S.-China cyber tensions, validating long-held conservative concerns over Beijing’s state-sponsored espionage undermining national security and individual liberties.

China’s embassy denied involvement, rejecting accusations as smears and calling for dialogue while opposing hacking. Western analysts, led by GTIG’s authoritative report, unanimously link UNC2814 to the PRC, highlighting a decade of sophisticated global spying. Private-sector action sets a precedent against advanced persistent threats, bolstering defenses without government overreach.