GRIDTIDE: the backdoor that turned Google Sheets into a command and control channel in the UNC2814 campaign

Google has announced an intervention against the infrastructure used by a cyber-espionage group that they track as UNC2814, attributed to actors with alleged links to China, after finding evidence of commitments in dozens of organizations throughout the world. According to Google's threat intelligence team together with external partners, the campaign affected entities on multiple continents and relied on unconventional techniques to hide their malicious activity within legitimate cloud services. The intervention included the deactivation of Google Cloud projects controlled by attackers and the revocation of access to API accounts and calls that were being abused as a command and control channel.( Google report).

The central component detected by researchers is a new backdoor named GRIDTIDE, developed in C language, which takes advantage of the Google Sheets API as a communication channel. Instead of using traditional C2 servers, attackers write and read cells in spreadsheets to send orders, receive command results and transfer files. This technique converts traffic that seems benign to the naked eye - requests to an API of a productivity service - into a continuous and difficult control channel to distinguish from legitimate use.

In practical terms, GRIDTIDE implements a cell survey mechanism: certain positions on the sheet act as instruction boxes, others as temporary deposits for the output of commands and files, and some more as records of the infected system. The malware allows you to upload and download files and run shell commands remotely, making it a complete tool for recognition, information extraction and persistence setting. Although Google did not observe, during the campaign described, a massive data transfer outside the compromised networks, they did find that malware was installed in endpoints containing identifiable personal information, a clear indication of interest in selective surveillance and cyberespionage.

The attacks also show a pattern of network perimeter and infrastructure resources. The researchers point out that the initial actors seem to have gained access through commitments on web servers and devices on the edge of the network, and then moved laterally within the corporate environments using service accounts and SSH connections. It is common for these adversaries to use "living-off-the-land" binaries - legitimate tools of the operating system - to execute recognition, raise privileges and launch code without easily activating the defenses, which complicates their detection.

To consolidate, the attackers used traditional methods of persistence in Linux systems, creating a system service that executed the malicious binary on a recurrent basis. The use of SoftEther VPN Bridge was also observed to establish outgoing encrypted channels to external directions; precisely, the security community has documented the use of SoftEther in previous operations attributed to groups linked to China, because of its flexibility and because it allows tunnels difficult to distinguish from legitimate VPN traffic ( SoftEther project site).

Google describes the campaign as one of the most extensive and far-reaching that they have seen in recent years, with commitments confirmed or suspected in a very large number of countries and targets including telecommunications operators and government agencies. As part of its response, the supplier eliminated the cloud infrastructure controlled by the attackers and issued formal notifications to the affected organizations, in addition to providing active support to victims with verified intrusions. The company warns that, although deactivation is a significant blow, these groups often invest years in building persistent access and will work to reestablish themselves.

The case of GRIDTIDE highlights several challenges facing modern defenses: on the one hand, the use of APIs and SaaS services as C2 channels forces us to rethink which traffic we consider "of confidence"; on the other hand, the edge of the network - devices and services exposed to the Internet - remains a privileged objective because many of these devices lack malware detection and, if committed, offer a direct path to internal resources. A recent analysis of trends on the edge shows how these surfaces have become attractive targets for global intrusions ( GreyNoise report).

For organizations concerned about this type of threat, the lesson is double: both perimeter security and control and monitoring of the use of APIs and cloud service accounts must be strengthened. It is recommended to audit and restrict service account permissions, monitor unusual calls to third-party APIs, record and analyse the use of administrative tools and apply network segmentation that limits lateral movement capacity. It is also key to have clear procedures to revoke credentials and close cloud projects to signs of commitment, as Google did in this case.

In short, the operation against UNC2814 and GRIDTIDE's exhibition show how adversaries advance in creativity by taking advantage of legitimate services to hide their activity. Protection from sophisticated campaigns requires combining continuous monitoring, identity and access controls, and a coordinated rapid response capacity between cloud providers and affected organizations. The good news is that coordinated actions like the one described above can mitigate a significant part of the damage and force the attackers to reestablish their infrastructure, although they do not in themselves eliminate the long-term threat.