GRIDTIDE Espionage: PRC-Nexus UNC2814 Targets Telecoms Globally

Overview: Disrupting the GRIDTIDE Cyber Espionage Campaign

Google Threat Intelligence Group (GTIG), in collaboration with Mandiant and other partners, recently executed a coordinated disruption of the GRIDTIDE global cyber espionage campaign. This campaign, attributed to UNC2814, a suspected People’s Republic of China (PRC)-nexus threat actor, has actively targeted telecommunications and government organizations across 42 nations on four continents, with suspected infections in at least 20 more countries. GTIG has tracked UNC2814 since 2017, identifying them as a prolific and elusive group with a history of targeting international governments and global telecommunications organizations in Africa, Asia, and the Americas.

The novelty of the GRIDTIDE backdoor lies in its sophisticated use of legitimate cloud-hosted services, specifically the Google Sheets API, for command-and-control (C2) communications. This tactic allows the actor to masquerade malicious traffic as benign, thereby evading traditional network detection mechanisms. It is critical to understand that this activity does not stem from a security vulnerability in Google’s products but rather an abuse of legitimate functionality, as reported by Google Threat Intelligence Group (GTIG).

Technical Analysis of GRIDTIDE and UNC2814 TTPs

Initial Access and Post-Compromise Activity

While the specific initial access vector for this particular campaign remains undetermined, UNC2814 has historically exploited and compromised web servers and edge systems to gain entry. Once inside, Mandiant’s investigations, leveraging Google Security Operations (SecOps), detected suspicious activity involving the execution of /var/tmp/xapt, a binary masquerading as a legacy Debian tool. This binary initiated a shell with root privileges and performed reconnaissance using sh -c id 2>&1 to confirm privilege escalation.

Post-compromise, UNC2814 leverages living-off-the-land (LotL) binaries for lateral movement via SSH, further reconnaissance, and to establish persistence for the GRIDTIDE backdoor. Persistence is achieved by creating a systemd service file at /etc/systemd/system/xapt.service, spawning the malware from /usr/sbin/xapt. Additionally, the threat actor deploys SoftEther VPN Bridge to establish outbound encrypted connections, indicating long-term operational infrastructure dating back to July 2018.

GRIDTIDE Backdoor Capabilities

GRIDTIDE is a C-based backdoor with extensive capabilities, including executing arbitrary shell commands, uploading files, and downloading files. Its distinctive C2 mechanism leverages Google Sheets as a high-availability platform for data and command transfer. The malware decrypts its Google Drive configurations using a 16-byte cryptographic key (AES-128 in CBC mode) from a separate file, which includes a service account and private key for Google Sheets API authentication.

Upon execution, GRIDTIDE performs host-based reconnaissance, collecting details such as username, endpoint name, OS information, local IP, and environmental data, which is exfiltrated to cell V1 of the controlled spreadsheet. To maintain operational hygiene and prevent interference, the backdoor uses the batchClear API method to delete the first 1000 rows of columns A to Z.

Cell-Based Command and Control

GRIDTIDE’s C2 communication relies on a precise cell-based polling mechanism:

• Cell A1: Polled via the Google Sheets API for attacker commands (e.g., C-C- for command execution). Upon task completion, the malware overwrites it with a status response (e.g., S-C-R for server-command-success).
• Cells A2-An: Used for transferring data, including command output, uploaded tools, or exfiltrated files.
• Cell V1: Dedicated to storing victim host metadata.

Commands adhere to a <type>-<command_id>-<arg_1>-<arg_2> syntax, facilitating remote command execution, file uploads, and file downloads. To evade detection and web filtering, all data exchanged is encoded using a URL-safe Base64 scheme.

Targeting Profile

UNC2814’s primary targets in the GRIDTIDE campaign are telecommunications providers and government organizations globally. Confirmed intrusions impacted 53 victims in 42 countries, with suspected activity in an additional 20+ nations, highlighting the extensive and long-standing nature of this espionage operation. The targeting of personally identifiable information (PII) – including full names, phone numbers, dates/places of birth, voter IDs, and national IDs – aligns with cyber espionage objectives to identify, track, and monitor persons of interest. Historically, similar PRC-nexus operations have led to the exfiltration of call data records, unencrypted SMS messages, and abuse of lawful intercept systems, underscoring the severe implications for victim organizations and their customers.

Actionable Recommendations and Mitigations

Organizations in the telecommunications and government sectors should prioritize strengthening their defenses against sophisticated espionage groups like UNC2814. Given the adversary’s reliance on legitimate services for C2 and the use of LotL techniques, detection requires advanced monitoring and analysis capabilities.

Proactive Detections

Defenders should implement robust monitoring for the following TTPs:

• Suspicious API Calls: Monitor for non-browser processes initiating outbound HTTPS requests to Google Sheets API endpoints, particularly batchClear, batchUpdate, and valueRenderOption=FORMULA.

target.url = /sheets.googleapis.com/ ( target.url = /batchClear/ OR target.url = /batchUpdate/ OR target.url = /valueRenderOption=FORMULA/ ) principal.process.file.full_path != /chrome|firefox|safari|msedge/

*   **Unusual File Creation**: Detect configuration files being created or modified in unexpected directories, such as `/usr/sbin`, `/sbin`, or `/var/tmp`.
    ```plain
(
  metadata.event_type = "FILE_CREATION" OR
  metadata.event_type = "FILE_MODIFICATION" OR
  metadata.event_type = "FILE_MOVE"
)
AND target.file.full_path = /^(\/usr\/sbin|\/sbin|\/var\/tmp)\/[^\\\/]+\.cfg$/ nocase

• Shell Execution from Temp Directories: Identify executables with short alphanumeric filenames launching from /var/tmp/ and spawning a shell.

principal.process.file.full_path = /^/var/tmp/[a-z0-9]{1,10}$/ nocase AND target.process.file.full_path = /\b(ba)?sh$/ nocase

*   **Systemd Service Creation**: Monitor for the creation of new `systemd` service files, especially those executing unknown binaries.

### Indicators of Compromise (IOCs)

Review network and host logs for the following indicators. A comprehensive collection of IOCs is available from GTIG.

**Host-Based Artifacts (SHA256)**:
*   `ce36a5fc44cbd7de947130b67be9e732a7b4086fb1df98a5afd724087c973b47` (GRIDTIDE `xapt`)
*   `01fc3bd5a78cd59255a867ffb3dfdd6e0b7713ee90098ea96cc01c640c6495eb` (`xapt.cfg`)
*   `eb08c840f4c95e2fa5eff05e5f922f86c766f5368a63476f046b2b9dbffc2033` (`xapt.service`)
*   `4eb994b816a1a24cf97bfd7551d00fe14b810859170dbf15180d39e05cd7c0f9` (`hamcore.se2`, `fire` – SoftEtherVPN Bridge components)
*   `669917bad46a57e5f2de037f8ec200a44fb579d723af3e2f1be1e8479a267966` (`vpn_bridge.config`)

**Network-Based Artifacts (Selected Examples)**:
*   **C2 IPs**: `130[.]94[.]6[.]228`, `38[.]180[.]205[.]14`, `38[.]60[.]194[.]21`, `38[.]54[.]112[.]184`, `38[.]60[.]171[.]242`, `195[.]123[.]211[.]70`, `202[.]59[.]10[.]122`, `38[.]60[.]252[.]66`, `45[.]76[.]184[.]214`, `45[.]90[.]59[.]129`, `195[.]123[.]226[.]235`, `65[.]20[.]104[.]91`, `5[.]34[.]176[.]6`, `139[.]84[.]236[.]237`, `149[.]28[.]128[.]128`, `38[.]54[.]31[.]146`, `178[.]79[.]188[.]181`, `38[.]54[.]37[.]196`, `207[.]148[.]73[.]18`, `38[.]60[.]224[.]25`, `149[.]28[.]139[.]125`, `38[.]54[.]32[.]244`, `38[.]54[.]82[.]69`, `45[.]76[.]157[.]113`, `45[.]77[.]254[.]168`, `139[.]180[.]219[.]115`
*   **User-Agents**: `Directory API Google-API-Java-Client/2.0.0 Google-HTTP-Java-Client/1.42.3 (gzip)`, `Google-HTTP-Java-Client/1.42.3 (gzip)`
*   **C2 Domains (partial list)**: `1cv2f3d5s6a9w[.]ddnsfree[.]com`, `admina[.]freeddns[.]org`, `applebox[.]camdvr[.]org`, `cdnvmtools[.]theworkpc[.]com`, `googles[.]ddnsfree[.]com`, `Microsoft[.]bumbleshrimp[.]com`, `telkomservices[.]theworkpc[.]com`, `updatetools[.]giize[.]com`, `vmtools[.]camdvr[.]org`, `zwt310n3o1unety2kab[.]webredirect[.]org`

Organizations should immediately review their environments for these IOCs and implement the recommended detection rules. The global scale and persistence of UNC2814 underscore the need for a comprehensive threat intelligence approach and active defense strategies.