GRIDTIDE the cyberespionage that uses Google Sheets as a command and control channel

Google, along with Mandiant and other partners, managed to deactivate a cyber-espionage campaign that had been operating since at least 2023 and which, according to its research, affected dozens of organizations around the world. The threat is attributed to an actor that Google identifies internally as UNC2814 and the reported victims exceed 50 entities in more than 40 countries, with signs of additional infections in about 20 more nations.

What makes this attack particularly ingenious - and dangerous - is the use of legitimate cloud services as a channel of command and control. In this case the attackers developed a C-written backdoor that takes advantage of the Google Sheets API to communicate with their operators and hide malicious traffic between calls to a seemingly harmless service. Using SaaS APIs as a C2 vehicle reduces noise and hinders detection by conventional web monitoring tools because traffic seems to correspond to Google's legitimate activity.

The technical description that researchers have published explains that malware - named GRIDTIDE - is authenticated with a Google service account using a private key embedded in the binary. At the beginning, the sample cleans the communication sheet, erasing a large block of rows and columns to make it ready as a channel. It then collects data from the committed equipment - user, computer name, operating system version, local IP, regional configuration and time zone - and writes them in a specific cell. Cell A1 acts as the control box: the malware continuously consults to receive orders and responds with a state when you have processed the instructions.

The working protocol that Google describes includes a survey behavior designed to reduce the probability of being detected: if the command cell is empty, the client tries to read it every second for a prudent time and then changes to random spaced checks at several-minute intervals. The orders that GRIDTIDE accepts include the execution of coded commands on Base64 in a shell interpreter, the reading of local files to send them fragmented to the sheet and the reconstruction of files uploaded from the sheet cells. To pack the information operators use an URLs-compatible Base64 scheme, which in the eyes of many tools is mixed with normal traffic.

This type of techniques - taking advantage of cloud services and public APIs for C2 - is not new, but its use by actors so far targeted at critical infrastructure and telecommunications operators raises concern. Google and its allies point out that the exact chain of how they got first access in this campaign is not yet clear, although UNC2814 has a history of compromising web servers and edge devices by exploiting known vulnerabilities.

The response was coordinated and strong: the teams involved revoked access, deactivated Google Cloud projects linked to the actor, cancelled the credentials of the Google Sheets API used in the operations and neutralized the known infrastructure, including synkholes for campaign-related domains. In addition, the organizations concerned were contacted directly to provide support for the cleaning of the intrusions. The actions prevented the Sheets channel from remaining useful to the actor, but the researchers warn that it is very likely that the group will reundertake operations with new infrastructure.

Google's technical publication includes detection rules and commitment indicators that security teams can use to search for GRIDTIDE traces in their environments. For those who manage cloud environments, the incident is a reminder to review practices such as service account management, key rotation and the allocation of minimum required permits. It is also recommended to monitor abnormal patterns of use of APIs - for example, atypical scriptures and readings on leaves or traffic with coded content that does not correspond to legitimate activity - and to have alerts for use of service accounts out of the ordinary.

If you want to deepen research and technical details, Google's report on the campaign interruption is available on Google Cloud's blog: Disrupting GRIDTIDE: global espionage campaign. To contextualize the threat to the practice of abusing APIs and cloud services you can review the official documentation of the APIs involved, such as the Google Sheets API and the guide on service accounts in Google Cloud. A technical press article that covered the news and its scope offers a synthesis accessible to non-specialists: BleepingComputer - Google disrupts GRIDTIDE. It is also useful to review reference frameworks such as MITRE ATT & CK to understand how this type of C2 fits into known techniques: T1071 - Application Layer Protocol.

Beyond the immediate response, the lesson for companies and administrators is clear: cloud platforms and public APIs offer enormous advantages, but can also be used as covert channels by sophisticated actors. Cloud security requires not only traditional perimeter controls, but specific visibility and telemetry on the use of APIs and credentials as well as response plans that can quickly cancel committed access and coordinate with suppliers when abuse is detected.

Meanwhile, the intelligence and response teams will continue to monitor the movement of UNS2814 and other groups using similar techniques. In a world where the cloud ecosystem is ubiquitous, the ability to detect atypical patterns in legitimate services and to act in a collaborative way between suppliers and victims will be increasingly decisive to contain such campaigns.

If you manage business environments, check the official references and share the IoC and detection rules provided by Google with your security team to assess if there was exposure in your systems and, if necessary, request specialized support.