Sheets of Deceit: Chinese Cyberspies Manipulated Global Networks Through Google Apps

It started as a subtle disturbance - a few lines in a spreadsheet, a flicker of cloud activity. But beneath the surface, a sophisticated espionage campaign was quietly infiltrating government agencies and telecom giants worldwide. Now, after months of clandestine operations, cybersecurity experts have exposed the digital sleight of hand: Chinese cyberspies using Google Sheets as a covert command center to orchestrate attacks on a global scale.

According to Google’s Threat Intelligence Group and Mandiant, the espionage operation - active since at least 2023 - was anything but ordinary. Instead of relying on typical malware command-and-control (C2) channels, the attackers used the Google Sheets API, blending their communications with legitimate cloud traffic. This allowed their activities to go largely undetected by standard security monitoring tools.

The custom-built backdoor, dubbed GRIDTIDE, was the linchpin of their tactics. Once deployed, GRIDTIDE authenticated itself to Google using a hardcoded private key and sanitized its spreadsheet “control room” before beginning reconnaissance. It silently harvested sensitive details from infected systems - including usernames, hostnames, operating system versions, and network information - logging the data in an obscure cell. Commands from the attackers appeared as cryptic entries in the spreadsheet’s first cell, with the malware polling for new instructions and uploading stolen data in cleverly disguised fragments.

GRIDTIDE’s design was both methodical and stealthy. Its communication relied on a URL-safe encoding scheme, enabling it to evade detection and blend in with the daily deluge of cloud-based traffic. Investigators say the malware could execute arbitrary commands, upload or download files, and even reconstruct entire tools within the compromised environment - all under the guise of normal spreadsheet activity.

While the exact method of initial access remains unknown, previous campaigns by UNC2814 have exploited web server and edge system vulnerabilities. This time, the stakes were high: GRIDTIDE was found on systems containing sensitive personal information, though no confirmed data theft was observed before the campaign’s disruption.

The takedown was swift and coordinated. Google and its partners revoked API access, terminated cloud projects used by the attackers, and sinkholed domains linked to the operation. Impacted organizations received direct notifications and support to clean up infections. Yet experts warn that UNC2814 is likely to regroup, adapt, and return - perhaps with even more sophisticated tricks hidden in plain sight.

The GRIDTIDE affair is a stark reminder that even the most familiar tools can become weapons in the hands of skilled adversaries. As defenders patch the holes and recalibrate their sensors, one thing is clear: in the age of cloud computing, the boundaries between legitimate and malicious activity are more blurred than ever.

WIKICROOK

• Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• API (Application Programming Interface): An API is a set of rules that lets different software systems communicate, acting as a bridge between apps. APIs are common cybersecurity targets.
• Sinkhole: A sinkhole is a cybersecurity method that redirects malicious traffic to controlled servers, allowing experts to block attacks and study cyber threats.
• Indicator of Compromise (IoC): An Indicator of Compromise (IOC) is a clue, like a suspicious file or IP address, that signals a system may have been hacked.