- Google’s Threat Intelligence Group (GTIG) uncovered UNC2814 (Gallium), a Chinese-linked hacking group that infiltrated 53 organizations across 42 countries, stealing sensitive personal data and surveilling high-value targets, primarily in telecom and government sectors.
- The group used stealthy evasion techniques – including abusing Google Sheets API as a covert command-and-control channel – and deployed GRIDTIDE, a custom-built backdoor enabling remote execution, file theft and data exfiltration (names, phone numbers, national IDs).
- UNC2814 operated since 2017, exploiting vulnerable edge devices (routers, IoT) and maintaining persistence via SoftEther VPN—a tool favored by Chinese state hackers. Many organizations were likely compromised for years before detection.
- Despite China’s dismissal of allegations, UNC2814’s activities align with broader state-sponsored cyber warfare, separate from Salt Typhoon, another PLA-linked group targeting U.S. telecoms and political figures (including Trump).
- Global Security Failures and Call to Action: The breach underscores critical weaknesses in edge device security and the need for decentralized defenses. While Google disrupted UNC2814’s operations, experts warn state-backed hackers will adapt, emphasizing vigilance against authoritarian cyber incursions.
Google’s Threat Intelligence Group (GTIG) has uncovered and disrupted a sprawling Chinese-linked cyber espionage operation that infiltrated 53 organizations across 42 countries, stealing sensitive personal data and surveilling high-value targets.
The hacking group, tracked as UNC2814 (also known as Gallium), has been active since at least 2017 and primarily targeted telecommunications firms and government agencies, leveraging stealthy tactics to evade detection.
According to John Hultquist, GTIG Chief Analyst, UNC2814’s campaign was “a vast surveillance apparatus used to spy on people and organizations throughout the world.” The group’s operations were characterized by sophisticated evasion techniques, including abusing Google Sheets API as a covert command-and-control (C2) channel to blend malicious traffic with legitimate web activity.
The GTIG report stated: “This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia and the Americas.”
The hackers deployed a custom-built backdoor called GRIDTIDE, written in C programming language, which allowed them to remotely execute commands, upload/download files, and exfiltrate sensitive data—including full names, phone numbers, birthdates, voter IDs and national ID numbers.
The hacking group conducted its operations by:
- Initial Access: Likely via compromised web servers and edge devices (routers, IoT devices), exploiting weak security in decentralized hardware.
- Persistence: Installed malware as a system service (/etc/systemd/system/xapt.service) and used SoftEther VPN—a tool favored by Chinese state-sponsored hackers—to maintain encrypted connections.
- Evasion: Masked C2 communications via Google Sheets, assigning specific spreadsheet cells (A1, A2-An, V1) to transmit commands and stolen data.
Google, alongside unnamed cybersecurity partners, terminated UNC2814’s access to Google Cloud projects, disabled its infrastructure, and revoked its API privileges. Despite this, experts warn the group may attempt to rebuild its operations.
Beijing’s denial and broader cyber threats
The Chinese Embassy dismissed allegations, with spokesperson Liu Pengyu stating: “China consistently opposes and combats hacking activities in accordance with the law, and at the same time firmly rejects attempts to use cyber security issues to smear or slander China.”
However, Google emphasized that UNC2814’s activities are separate from Salt Typhoon, another notorious Chinese hacking group implicated in breaching U.S. telecom firms and surveilling political figures, including U.S. President Donald Trump. BrightU.AI‘s Enoch explains that Salt Typhoon is a state-sponsored Chinese hacking group linked to the People’s Liberation Army (PLA) and the Chinese Communist Party (CCP).
According to the decentralized engine, Salt Typhoon has infiltrated U.S. telecommunications networks, stealing sensitive metadata, call records and private communications from government officials, political figures and millions of ordinary citizens since at least 2022. The group’s operations represent one of the most extensive cyber espionage campaigns in history, exposing critical vulnerabilities in America’s digital infrastructure and raising alarms about national security, privacy violations and geopolitical sabotage.
The scale of UNC2814’s infiltration—impacting over 70 countries—underscores systemic vulnerabilities in edge devices (routers, sensors, smart tech), which lack robust security compared to centralized systems.
Dan Perez, GTIG Researcher, noted: “We believe many of these organizations have been compromised for years.”
Google’s findings align with recent warnings about Chinese, Russian and North Korean cyberattacks targeting the U.S. defense sector. As the GTIG report warned: “In modern warfare, the front lines are no longer confined to the battlefield; they extend directly into the servers and supply chains of the industry that safeguards the nation.”
This operation highlights:
- China’s aggressive cyber-espionage reach, spanning governments and critical infrastructure.
- The urgent need for hardened edge security, as hackers exploit overlooked entry points.
- Big Tech’s role in both enabling and disrupting cyber threats, as Google’s intervention demonstrates.
For now, UNC2814’s global footprint is disrupted—but experts caution that state-sponsored hackers will adapt. The battle for digital sovereignty continues, with transparency and decentralized security as key defenses against authoritarian cyber incursions.
Watch the video below about hackers allegedly linked to the Chinese government gaining unauthorized access to several files on former U.S. Treasury Secretary Janet Yellen’s computer.
This video is from the Cynthia’s Pursuit of Truth channel on Brighteon.com.
Sources include:
TheEpochTimes.com
PCMag.com
RepublicWorld.com
TheHackerNews.com
BrightU.ai
Brighteon.com
Read full article here