A large-scale cyber surveillance campaign linked to China has been disrupted by Google, which said the group targeted telecom and government organisations in at least 42 countries.
The hacking group, tracked as UNC2814 and also known as “Gallium,” is believed to have spied on 53 victims. According to Google, the attackers deployed a Linux-based backdoor named Gridtide, written in C. The malware enabled remote command execution, file uploads and downloads, and data theft.
“This was a vast surveillance apparatus used to spy on people and organisations throughout the world,” said John Hultquist, chief analyst at Google Threat Intelligence Group, as reported by a news agency.
To conceal operations, UNC2814 used Google Sheets as a covert communication channel to send and receive stolen information. The compromised data reportedly included names, phone numbers, dates and places of birth, voter IDs, and national ID numbers.
In response, Google and its partners blocked the group’s access to Google Cloud, dismantled its internet infrastructure, and disabled the Google Sheets accounts involved. The company clarified that the use of Sheets did not compromise any of its products.
“We expect UNC2814 used this access to exfiltrate a variety of data on persons and their communications,” Google said. “The access UNC2814 achieved during this campaign would likely enable clandestine efforts to similarly surveil targets.”
Google stated that UNC2814 likely targeted at least 20 additional countries outside North America. The campaign has been under tracking since 2017 and appears to reflect nearly a decade of coordinated activity.
The attackers reportedly exploited web servers and edge systems while blending malicious traffic with normal network activity. Charley Snyder, senior manager at Google Threat Intelligence Group, confirmed that access was established in 53 organisations, with potential exposure in 22 more countries before the disruption.
Google also clarified that UNC2814 is separate from Salt Typhoon, another China-linked group that targeted hundreds of US organisations and politicians, including US President Donald Trump’s phone.
“UNC2814 has no observed overlaps with activity publicly reported as ‘Salt Typhoon,’ and targets different victims globally using distinct tactics, techniques, and procedures,” the company said.
Affected organisations have been notified. The technical report outlines details of the Gridtide backdoor, infrastructure methods, and VPN usage to mask activity.
A spokesperson for the Chinese Embassy, Liu Pengyu, said, “Cybersecurity is a common challenge faced by all countries and should be addressed through dialogue and cooperation. China consistently opposes and combats hacking activities in accordance with the law, and at the same time firmly rejects attempts to use cybersecurity issues to smear or slander China,” according to sources.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
