The Google Threat Intelligence Group (GTIG) on Feb. 25 reported that GTIG, Mandiant, and its partners disrupted a China-linked espionage campaign that impacted 53 victims in 42 countries across four continents.In its blog post, GTIG said it's tracked the threat actor — UNC2814 — since 2017. UNC2814 has a long history of attacking telecoms and government organizations in Africa, Asia and the Americas.What was especially concerning to security pros was that the campaign was conducted over nearly a decade and overall, the PRC-nexus threat actor conducted activities in nearly 70 countries.According to GTIG, the attacker used API calls to communicate with SaaS apps as command-and-control (C2) infrastructure to disguise their malicious traffic as benign, a common tactic used by threat actors when attempting to improve the stealth of their intrusions.“Rather than abusing a weakness or security flaw, attackers rely on cloud-hosted products to function correctly and make their malicious traffic seem legitimate,” wrote the researchers. As part of the investigation, Mandiant discovered that UNC2814 was leveraging a novel backdoor tracked as GRIDTIDE. The researchers said this activity was not the result of a security vulnerability in Google’s products. Rather, rather, it abuses legitimate Google Sheets API functionality to disguise C2 traffic.GTIG noted that UNC2814 has no observed overlaps with activities by China's Ministry of State Security threat group Salt Typhoon, and targets different victims globally using distinct tactics, techniques, and procedures (TTPs). The researchers said although the specific initial access vector for this campaign has not been determined, UNC2814 has a history of gaining entry by exploiting and compromising web servers and edge systems.“It’s great to see hyperscalers dedicate resources to hunting and taking down threat actor infrastructure,” said Sunil Gottumukkala. “Equally important is the threat intelligence they’re sharing with the rest of the industry so defenders can take concrete steps to protect their environments. This incident also reinforces that threat actors continue to leverage commercial cloud and SaaS infrastructure as part of their operations.”Duncan Greatwood, chief executive officer at Xage Security, explained that the use of publicly accessible media like Google Sheets for communication between hackers makes sense. Greatwood said because the message may never be “sent” — or may never get shared in a Google Sheet — it can attract less attention.“Ironically though, it’s clear that these messages did eventually attract attention,” said Greatwood. “Shared accounts and unencrypted data are vulnerable — even for hackers, and even when 'hidden' in a vast amount of data, such as Google's Workspace."
Application security, Threat Management, Threat Intelligence, Ransomware, Breach, Cloud Security, Government security

Google disrupts decade-long China-linked UNC2814 espionage campaign

(Adobe Stock)

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



