Google Busts Massive Chinese Espionage Network

Surveillance camera in front of the Chinese flag

A China-linked cyber espionage operation spanning nearly a decade infiltrated telecommunications and government networks across 42 countries before Google disrupted the surveillance apparatus.

Story Snapshot

Google Threat Intelligence Group dismantled UNC2814, a suspected Chinese state-sponsored hacking group that compromised 53 organizations across 42 countries since 2017
Attackers used sophisticated GRIDTIDE malware exploiting Google Sheets API to disguise surveillance operations as legitimate cloud traffic, evading standard security detection
Telecommunications and government entities in Africa, Asia, and the Americas were targeted for personal identification data and communications intelligence
Google terminated attacker-controlled cloud infrastructure, revoked API access, and released detection tools while warning the group will attempt to rebuild operations

Decade-Long Espionage Campaign Exposed

Google Threat Intelligence Group tracked the suspected People’s Republic of China-nexus cyber espionage actor UNC2814 since 2017, documenting what researchers describe as a prolific and elusive threat. The group breached at least 53 organizations across 42 countries, with suspected activity extending to over 70 nations worldwide. Targets included critical telecommunications providers and government agencies across Africa, Asia, and the Americas, creating a vast surveillance network focused on harvesting personal identification information including names, phone numbers, and identification documents from telecom databases.

Sophisticated Malware Weaponizes Cloud Services

UNC2814 deployed a novel Linux backdoor named GRIDTIDE that exploited Google Sheets application programming interface for command-and-control communications, disguising malicious traffic as routine cloud activity. This innovative approach enabled the attackers to evade standard security tools by blending espionage operations into legitimate software-as-a-service traffic patterns. The malware provided remote command execution capabilities, file transfer functions, and data exfiltration tools while maintaining persistent access through compromised web servers and edge network systems. Google emphasized that no Google products were compromised; attackers controlled their own separate Google Cloud projects to facilitate operations.

Coordinated Disruption Halts Global Operations

Google coordinated with Mandiant and unnamed industry partners during the week preceding February 25, 2026, to execute a comprehensive disruption of UNC2814 infrastructure. Actions included terminating attacker-controlled Google Cloud projects, disabling command-and-control infrastructure through sinkholing, revoking Google Sheets API access, and notifying all identified victims. Google released indicators of compromise documented since 2023 and updated detection signatures to enable security teams worldwide to hunt for residual threats within their networks. The coordinated takedown represents a significant private-sector response to state-sponsored advanced persistent threats.

Threat to American Interests and Allies

The campaign targeted countries including Afghanistan, Australia, Belgium, Cambodia, Malaysia, Russia, Vietnam, and the Philippines, creating risks for American citizens and allies whose communications and personal data transited compromised telecommunications infrastructure. The focus on telecom providers represents a direct threat to communications security, enabling surveillance of call records, text messages, and customer information at scale. This type of intelligence collection supports broader Chinese Communist Party objectives to monitor dissidents, track foreign government officials, and collect strategic intelligence on nations across multiple continents. The breach erodes trust in critical infrastructure that Americans and allied populations depend upon daily.

Expected Resurgence Despite Setback

Google Threat Intelligence Group warned that prolific intrusions of this scale will not be easily re-established but expects UNC2814 will work diligently to rebuild capabilities. The decade-long persistence demonstrates sophisticated tradecraft and substantial state resources backing operations, suggesting the disruption represents a temporary setback rather than permanent defeat. Security researchers note the campaign reflects years of focused effort in global telecommunications and government espionage, distinguishing UNC2814 from other China-nexus groups like Salt Typhoon through unique tactics. The Chinese Embassy issued predictable denials, rejecting what it termed smear accusations and calling for international dialogue while continuing to oppose hacking in principle.

Google Disrupts China-Tied Cyber Campaign That Hacked 42 Countries

“This was a vast surveillance apparatus used to spy on people and organizations throughout the world,”

Google : “If Anyone is going to spy on Americans it’s going to be Us!” https://t.co/olJNuo42tD

— George Orwell (@OrwellsRevenge) February 28, 2026

Broader Implications for Critical Infrastructure

The exposure of GRIDTIDE highlights emerging risks from application programming interface abuse in cloud and software-as-a-service environments, where attackers exploit legitimate services to mask malicious activity. Telecommunications and government sectors face heightened urgency to monitor edge systems and scrutinize API traffic patterns for behavioral anomalies that standard signature-based detection misses. The incident advances cloud security practices by demonstrating the necessity of behavioral detection capabilities beyond traditional endpoint protection. Google’s disruption sets a precedent for private-sector companies taking proactive action against advanced persistent threats, though questions remain about government coordination and whether federal agencies should play larger roles in defending critical infrastructure from state-sponsored attacks.