A sophisticated digital espionage campaign has been uncovered using Google Sheets as a command-and-control (C2) infrastructure. The malware, dubbed GRIDTIDE, was deployed by the threat group UNC2814 to infiltrate networks in 42 countries.
How the Attack Worked
The attackers abused the Google Sheets API to turn spreadsheets into active command centers. The process worked as follows:
- Stealthy Communication: Malware-infected systems connected to a specific Google Sheet.
- Cell-Based Commands: Hackers used spreadsheet cells as an "inbox" and "outbox" to exchange instructions and receive stolen data.
- Evasion: Because the malware communicated with a Google service, the traffic appeared legitimate to network monitoring tools, making it extremely difficult to detect.
Scale and Impact
Google Threat Intelligence and Mandiant confirmed attacks against 53 organizations, primarily targeting telecommunications companies and government agencies.
In some regions, including Brazil, the group accessed telecom systems containing sensitive subscriber data:
- Full names and phone numbers.
- Identification documents and birth dates.
- Call logs and SMS message records.
The GRIDTIDE backdoor also collected host information, such as usernames, hostnames, and IP addresses, funneling this data back into the spreadsheets.
Response and Prevention
Google has clarified that this was not a vulnerability exploit but an abuse of legitimate features. To mitigate the threat, Google has:
- Terminated the attackers’ Google Cloud projects and accounts.
- Revoked API access used by the infrastructure.
- Notified all affected organizations.
To protect your network, monitor for unusual API traffic to cloud services and ensure all endpoint detection tools are updated to recognize GRIDTIDE signatures.
