Full Report
UNC2814 historically targets governments and telcos A China-linked crew found a unique formula for attacking telcos and government orgs across the Americas, Asia, and Africa in its latest round of intrusions. Google's threat intelligence, along with unnamed industry partners, disrupted the gang, which used the Chocolate Factory's own spreadsheet tools as part of its exploits.…
Analysis Summary
# Threat Actor: UNC2814
## Attribution & Identity
* **Attribution:** China-linked crew, suspected Chinese government espionage group.
* **Known Aliases and Associated Groups:** Mandiant has linked the Gridtide backdoor to UNC2814. No observed overlap with other Beijing-backed groups mentioned.
* **Tracking History:** Google Threat Intelligence Group (GTIG) has been tracking this group since 2017.
## Activity Summary
* **Recent Campaign:** A global espionage operation tracked by Google and industry partners that utilized Google Sheets API functionality for C2. The operation was disrupted as of February 18th.
* **Scale of Impact:** Confirmed impact against 53 victims across 42 countries, with suspected infections in at least 20 more countries (four continents targeted).
* **Historical Operations:** Historically targets governments and telecommunications companies.
## Tactics, Techniques & Procedures
* **Initial Access:** Historically gains access by exploiting and compromising web servers and edge systems (specific entry method for the latest campaign is unknown).
* **Privilege Escalation:** Achieved root privileges locally (evidenced by a binary `/var/tmp/xapt` executing a command to confirm root access).
* **Lateral Movement:** Used SSH for lateral movement.
* **Command Execution:** Deployed payloads which could execute shell commands. Used the command `"nohup ./xapt"` to allow processes to run after a user session closes.
* **Backdoor Usage:** Deployed the novel C-based backdoor, **Gridtide**.
* **C2 Communication:** Gridtide abuses legitimate Google Sheets API functionality to disguise C2 traffic.
* **Persistence/Exfiltration Support:** Deployed **SoftEther VPN Bridge** to establish an outbound encrypted connection to external infrastructure.
## Targeting
* **Sectors:** Governments and telecommunications organizations (telcos).
* **Geography:** Americas, Asia, and Africa (impacted 42 countries across four continents).
* **Victims:** Organizations compromised included endpoints containing personal information, suggesting targeting might involve identifying and tracking persons of interest (e.g., full name, ID numbers, birth details). Previous espionage efforts against telecoms targeted dissidents and activists.
## Tools & Infrastructure
* **Malware Families Used:**
* **Gridtide:** Novel backdoor using Google Sheets API for C2.
* **/var/tmp/xapt:** Suspected initial payload/binary used to escalate to root.
* **SoftEther VPN Bridge:** Used for establishing outbound encrypted connections.
* **Infrastructure:**
* **C2:** Leveraged legitimate Google Sheets API calls.
* **VPN Infrastructure:** Threat actors have been leveraging specific VPN infrastructure since July 2018.
* Google disabled all known UNC2814 infrastructure and accounts, and terminated controlled Google Cloud Projects.
## Implications
The actor demonstrates a sophisticated, novel approach to espionage by weaponizing legitimate cloud services (Google Sheets API) for persistent C2, vastly improving camouflage. Their sustained focus on critical infrastructure (telecoms) and government entities suggests high-level state-sponsored intelligence gathering, potentially targeting sensitive personal data or operational intelligence.
## Mitigations
* Monitor for or restrict unusual use of Google Sheets APIs for external command and control interaction.
* Investigate binary activity in temporary directories like `/var/tmp/`.
* Monitor for privilege escalation attempts, specifically checking for confirmation of root access.
* Scrutinize the deployment of VPN bridging software like SoftEther, especially in conjunction with suspicious outbound encrypted connections.
* Review outbound network traffic for potential data exfiltration or command channels disguised as legitimate services.