Exposing the Undercurrent: Google and Mandiant Disrupt GRIDTIDE, a Cloud API Powered Espionage Campaign Spanning 42 Countries

When defenders talk about “living off the cloud,” this is what they mean. Last week, Google Threat Intelligence Group (GTIG), Mandiant, and partners moved to disrupt a long-running espionage operation in which attackers blended their command-and-control traffic into legitimate SaaS API calls. The actor, tracked as UNC2814, has been on GTIG’s radar since 2017 and has a track record of targeting telecommunications and government organizations across multiple regions.

GTIG says the operation had confirmed intrusions in 42 countries at the time of disruption, with 53 victim organizations identified and suspected activity in at least 20 more countries. It is a wide footprint, and it is not the kind you get from a one-off smash-and-grab. This looks like years of patient access, tuned for surveillance.

What made GRIDTIDE different

The backdoor at the center of the campaign, dubbed GRIDTIDE, is a C-based implant designed for persistence and operator control. It can execute shell commands and move files up and down, but the more interesting piece is how it talks. Instead of beaconing to an obvious malware domain, GRIDTIDE used Google Sheets as a high-availability command channel, treating a spreadsheet like a message bus.

The trick is simple and effective: if your traffic looks like normal API usage from a cloud client library, it can slip past a lot of network controls. GTIG is explicit that this was not a vulnerability in Google products. It was abuse of legitimate Sheets API functionality, the sort of technique defenders tend to underestimate until they see it in the wild.

Disruption actions: cutting the pipes, not chasing the packets

GTIG and partners focused on the attacker’s scaffolding. They terminated Google Cloud Projects controlled by the actor, disabled attacker accounts, and revoked access to Sheets API calls being used for command-and-control. They also identified and disabled known UNC2814 infrastructure, including sinkholing current and historical domains used by the group.

This is how you meaningfully disrupt a cloud-enabled intrusion: you do not just clean one server and hope for the best. You rip out the control plane the attacker depends on. GTIG also said it issued victim notifications and refined detection signals intended to catch GRIDTIDE-related activity.

Initial detection: a suspicious binary that wanted to look ordinary

The investigation accelerated after Mandiant detected suspicious activity on a CentOS server. The process tree told an old story in a new setting: a binary in /var/tmp spawned a root shell and ran sh -c id 2>&1 to confirm privilege level. That quick check, showing uid=0(root), is the kind of small, utilitarian recon step you see from operators who already know what they want to do next.

Mandiant assessed the payload was likely named xapt to blend in, borrowing the familiarity of legacy tooling. It is not sophisticated obfuscation. It is just enough camouflage to buy time in environments where nobody expects a real intrusion to start in /var/tmp.

[Process Tree]
/var/tmp/xapt
 └── /bin/sh
      └── sh -c id 2>&1
           └── [Output] uid=0(root) gid=0(root) groups=0(root)
  

Post-compromise: SSH, systemd persistence, and an encrypted exit

After landing, UNC2814 moved laterally using a service account over SSH and leaned on living-off-the-land binaries for recon and privilege escalation. Persistence came via a systemd service created at /etc/systemd/system/xapt.service, spawning a new instance of the malware from /usr/sbin/xapt.

Operators initially ran GRIDTIDE using nohup ./xapt, a practical choice that keeps the implant alive when a session ends. Later, they deployed SoftEther VPN Bridge to establish an outbound encrypted connection. VPN configuration metadata suggested the actor has used related infrastructure since at least 2018.

GTIG noted the actor dropped GRIDTIDE on endpoints that contained personally identifiable information such as national ID numbers and voter IDs. In telecom environments, that kind of access can support surveillance, identification of persons of interest, and downstream targeting. GTIG did not directly observe exfiltration during this campaign, but the access described would plausibly support it.

How Google Sheets became C2

GRIDTIDE used a cell-based polling model. It watched cell A1 for commands, used A2:An to move data in chunks, and stored host fingerprint data in V1. It also “cleaned” the spreadsheet at runtime by clearing the first 1000 rows across columns A to Z, likely to avoid collisions with previous operator sessions.

Commands followed a compact four-part syntax: <type>-<command_id>-<arg_1>-<arg_2>, supporting remote command execution, uploads, and downloads. To reduce detection and fit into URL-safe contexts, GRIDTIDE encoded content using a URL-safe Base64 variant that swaps + and / for - and _.

Targeting and attribution: large footprint, distinct from “Salt Typhoon”

UNC2814 is assessed as a PRC-nexus espionage actor. GTIG says it has no observed overlaps with activity publicly reported as “Salt Typhoon,” and that it targets different victims using distinct tactics, techniques, and procedures. That matters because defenders often collapse separate campaigns into one narrative and miss the nuances that drive detection.

The initial access vector for this campaign has not been pinned down. GTIG notes the group has a history of exploiting web servers and edge systems. If you run internet-facing infrastructure in telecoms or government, you already know where this story tends to begin.

What defenders should take from this

The cloud is now part of the attacker’s camouflage. When API calls are your C2, network allowlists and “trusted SaaS” assumptions become liabilities. Defenders need better baselines for what legitimate API usage looks like in their own environments, and they need to treat service accounts as high-risk identities, especially in hybrid infrastructures where a single credential can bridge on-prem and cloud.

Start with the basics, but do them aggressively: inventory service accounts, rotate keys, lock down OAuth scopes, and alert on unusual Sheets API patterns. If your security telemetry cannot tell you which identities are calling which SaaS APIs and why, this campaign shows the cost of that blind spot.

Indicators of Compromise (IOCs)

The full IOC set is available in a Google Threat Intelligence (GTI) collection for registered users. Below is a practical subset of the host and network artifacts published for defenders to pivot on.

Host-Based Artifacts

Network-Based Artifacts

IPs (partial list)

• 130[.]94[.]6[.]228 (hosted apt.tar.gz, update.tar.gz, amp.tar.gz)
• 38[.]180[.]205[.]14 (HTTPS verification target observed in curl command)
• 38[.]60[.]194[.]21 (SoftEther VPN server)
• 45[.]76[.]184[.]214 (hosting malicious C2 domain)
• 195[.]123[.]226[.]235 (hosting malicious C2 domain)
• 149[.]28[.]139[.]125 (SoftEther VPN server)

Domains (sample)

• 1cv2f3d5s6a9w[.]ddnsfree[.]com
• admina[.]freeddns[.]org
• applebox[.]camdvr[.]org
• evilginx2[.]loseyourip[.]com
• googles[.]accesscam[.]org
• vmtools[.]loseyourip[.]com

User-Agent strings

• Directory API Google-API-Java-Client/2.0.0 Google-HTTP-Java-Client/1.42.3 (gzip)
• Google-HTTP-Java-Client/1.42.3 (gzip)

URLs

• http://130[.]94[.]6[.]228/apt.tar.gz
• http://130[.]94[.]6[.]228/update.tar.gz
• http://130[.]94[.]6[.]228/amp.tar.gz
• https://sheets[.]googleapis[.]com:443/v4/spreadsheets/<GoogleSheetID>/values/A1?valueRenderOption=FORMULA
• https://sheets[.]googleapis[.]com:443/v4/spreadsheets/<GoogleSheetID>/values:batchClear
• https://sheets[.]googleapis[.]com:443/v4/spreadsheets/<GoogleSheetID>/values:batchUpdate

Note: The domain list associated with this campaign is extensive. If you are doing incident response or building detections, pull the full set from the GTI collection and treat it as hunting material, not a simple blocklist.