- Google stopped Chinese-linked hacking group UNC2814 targeting telecom and government bodies
- UNC2814 used Gridtide backdoor malware to spy on 53 victims in at least 42 countries
- Hackers exploited Google Sheets to secretly send and receive stolen personal data
Google prevented a Chinese-linked hacking group attempting to infiltrate telecom and government organisations across at least 42 countries, the tech giant claimed Wednesday.
The group, tracked as UNC2814 and also known as “Gallium,” is believed to have spied on 53 victims. They used a backdoor called Gridtide, built in C and aimed at Linux systems. The malware could run commands remotely, upload and download files, and steal data, Google said.
“This was a vast surveillance apparatus used to spy on people and organisations throughout the world,” said John Hultquist, chief analyst with Google Threat Intelligence Group, as per Reuters.
To hide their activity, UNC2814 used Google Sheets to secretly send and receive information. The stolen data included names, phone numbers, dates and places of birth, voter IDs, and national ID numbers.
In response, Google and its partners cut off UNC2814's access to Google Cloud, disabled the group's internet infrastructure, and blocked the accounts it used on Google Sheets.
Google said the use of Sheets for communication did not compromise any of its products.
“We expect UNC2814 used this access to exfiltrate a variety of data on persons and their communications,” Google said. “The access UNC2814 achieved during this campaign would likely enable clandestine efforts to similarly surveil targets.”
UNC2814 likely targeted at least 20 other countries except North America, the American tech giant said. The campaign, which Google has been tracking since 2017, appears to be the result of nearly a decade of effort.
The hackers gained access by exploiting web servers and edge systems and hid their activity within normal network traffic. Charley Snyder, senior manager at Google Threat Intelligence Group, said the group confirmed access to 53 organisations, with possible access in 22 more countries when the disruption occurred.
Google said UNC2814 is separate from Salt Typhoon, another Chinese-linked group that targeted hundreds of US organisations and politicians, including American President Donald Trump's phone.
“UNC2814 has no observed overlaps with activity publicly reported as ‘Salt Typhoon,' and targets different victims globally using distinct tactics, techniques, and procedures,” the company said.
Victims have been notified, and the company's report provides technical details on UNC2814's backdoor and other methods, including VPNs used to hide activity.
A spokesperson for the Chinese Embassy, Liu Pengyu, said, “Cybersecurity is a common challenge faced by all countries and should be addressed through dialogue and cooperation. China consistently opposes and combats hacking activities in accordance with the law, and at the same time firmly rejects attempts to use cybersecurity issues to smear or slander China,” as per Business Times.
