UNC2814 GridTide: How China-Linked Hackers Used Google Sheets as C2 Across 42 Countries

A Spreadsheet Was the Weapon Google just disrupted one of the most sophisticated state-sponsored espionage campaigns ever documented — and the command-and-control channel was Google Sheets. UNC2814, a suspected China-nexus threat actor tracked by Google's Threat Intelligence Group (GTIG) since 2017, compromised 53 organizations across 42 countries using a novel C-based backdoor called GridTide that communicates entirely through Google Sheets API calls. No suspicious domains. No hardcoded IPs. No C2 beacons to block. Just normal-looking Google API traffic that blended perfectly with every other cloud application in your environment. Why Google Sheets Is a Brilliant C2 Channel Traditional C2 infrastructure has a weakness: defenders can block it. Domain takedowns, IP blacklists, DNS sinkholes — all standard countermeasures that force attackers to constantly rotate infrastructure. Google Sheets eliminates all of these problems: Traffic goes to sheets.googleapis.com — a domain you cannot bl

UNC2814 GridTide: How China-Linked Hackers Used Google Sheets as C2 Across 42 Countries

Related Articles

Mamba-UNet: UNet-Like Pure Visual Mamba for Medical Image Segmentation

telecheck and tyms past

What Organizations Know About Themselves

Making HNSW actually work with WHERE clauses

Stop Using Claude Code Like a Chat Window

Related Articles

News
Mamba-UNet: UNet-Like Pure Visual Mamba for Medical Image Segmentation
Dev.to • 2d ago

News
telecheck and tyms past
Lobsters • 2d ago

News
What Organizations Know About Themselves
Medium Programming • 2d ago

News
Making HNSW actually work with WHERE clauses
Lobsters • 2d ago

News
Stop Using Claude Code Like a Chat Window
Medium Programming • 2d ago