The story reported on NaturalNews.com (dated February 28, 2026) details Google's Threat Intelligence Group (GTIG), in collaboration with Mandiant and other partners, disrupting a major Chinese-linked cyber espionage operation. This campaign, attributed to the hacking group UNC2814 (also known as Gallium), targeted telecommunications companies and government organizations across 42 countries, with confirmed breaches in at least 53 entities (and potential access in over 20 more).
This is a legitimate and significant disclosure from Google, announced around February 25, 2026, via their official blog and shared with outlets like Reuters, The Hacker News, SecurityWeek, and others. It's distinct from the better-known Salt Typhoon (also called RedMike, GhostEmperor, or linked to groups like OPERATOR PANDA), which has focused heavily on U.S. telecoms and global surveillance since around 2019–2022, often involving metadata theft and access to high-profile communications.
Key Details of the UNC2814 / GRIDTIDE Campaign
Timeline and Scope: Active since at least 2017, making it a nearly decade-long effort. Many victims were compromised for years without detection, as noted by GTIG researcher Dan Perez: "We believe many of these organizations have been compromised for years."
Targets: Primarily telecom providers and government agencies in Africa, Asia, the Americas, and beyond. The goal aligns with classic cyber espionage—identifying, tracking, and monitoring persons of interest through telecom access.
Methods and Tradecraft:
oInitial access often via compromised edge devices (e.g., routers, IoT, web servers) with weak security.
oPersistence using tools like SoftEther VPN (a favourite among Chinese state-linked actors) and malware installed as system services.
oA novel custom backdoor called GRIDTIDE (written in C) enables remote command execution, file transfers, and data exfiltration (e.g., full names, phone numbers, birthdates, voter/national IDs).
oSophisticated evasion: Abuse of legitimate Google Sheets API as a covert command-and-control (C2) channel. Hackers used specific cells in spreadsheets (e.g., A1, A2–An, V1) to send/receive commands and exfiltrate data, blending malicious activity with normal traffic.
Disruption Actions: Google terminated the attackers' Google Cloud projects, disabled infrastructure, revoked API access, and released indicators of compromise (IOCs). This severed their operations without exploiting any vulnerability in Google's own products — it leveraged abuse of legitimate features.
Google's chief analyst John Hultquist described it as "a vast surveillance apparatus used to spy on people and organisations throughout the world." Charley Snyder from GTIG noted confirmed access in 42 countries at disruption time.
This incident highlights several escalating trends in state-sponsored cyber operations, particularly from China-linked actors (suspected PRC-nexus, though Beijing denies involvement and calls such claims smears).
1.Global Scale and Persistence of Espionage: Campaigns like this show how PRC-linked groups maintain long-term access for intelligence gathering. By infiltrating telecoms worldwide, attackers gain visibility into communications, movements, and relationships of diplomats, officials, dissidents, executives, and military personnel. This isn't just "hacking" — it's building a global surveillance network. The overlap with Salt Typhoon (which hit U.S. providers like AT&T and Verizon) suggests a multi-pronged strategy: one for broad telecom backbone access, another for targeted regional/government hits.
2.Vulnerabilities in Edge and Supply Chain Security: Edge devices (routers, firewalls, IoT) remain a weak link, often poorly patched or monitored compared to core systems. Attackers exploit this for stealthy entry, then pivot inward. This echoes warnings in Google's February 2026 reports on threats to the defense industrial base, where China-nexus groups lead in volume of espionage against aerospace/defense entities.
3.Abuse of Legitimate Cloud Services (Living off the Land): Using Google Sheets for C2 is clever tradecraft: it looks like normal business activity, evades many detections, and forces defenders to scrutinise benign tools. This tactic is increasingly common among advanced actors (PRC, Russia, etc.), complicating attribution and response.
4.Geopolitical and National Security Implications
oIntelligence Advantage: Access to telecom metadata/call records enables mass surveillance, potentially aiding military planning, influence operations, or pre-positioning for conflict (e.g., similar to Volt Typhoon's infrastructure pre-positioning).
oEroding Trust in Global Tech/Telecom: Repeated breaches fuel calls for "digital sovereignty," bans on certain hardware (e.g., Huawei echoes), and scrutiny of cloud dependencies.
oBig Tech's Role: Google's proactive disruption (via GTIG/Mandiant) shows private companies filling gaps in state-level defence, but it also raises questions about power concentration in a few firms.
oEscalation Risks: China consistently denies state ties, accusing the West of hypocrisy. Yet patterns (e.g., MSS/PLA links in similar groups) contribute to heightened U.S.-China cyber tensions, sanctions, and export controls.
5.Defensive Lessons: Organisations need better edge-device hardening, API monitoring, anomaly detection in cloud services, and threat hunting. Governments push for international coordination (e.g., joint advisories on Salt Typhoon). For individuals, it reinforces risks of over-reliance on interconnected tech.
This UNC2814 campaign is a stark reminder that cyber espionage isn't episodic — it's a persistent, evolving front in great-power competition, with telecoms as prime battlegrounds. The disruption is a win for defenders, but the actors will likely adapt quickly. Vigilance, patching, and international info-sharing remain essential countermeasures.
The CCP continues its cyber war against the West.
https://www.naturalnews.com/2026-02-28-google-exposes-massive-chinese-cyber-espionage-campaign.html