this post was submitted on 26 Feb 2026
71 points (94.9% liked)

Technology

81869 readers
5040 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
71
Google catches Beijing spies using Sheets to spread espionage across 4 continents (www.theregister.com)
submitted 13 hours ago by Kailn@lemmy.myserv.one to c/technology@lemmy.world
10 comments fedilink hide all child comments
 
  • The Chocolate Factory announced the Google Threat Intelligence Group-led actions on Wednesday and said that, in partnership with other teams, it terminated all Google Cloud Projects that had been controlled by UNC2814, a group that GTIG has tracked since 2017. They also disabled all known UNC2814 infrastructure and accounts, and revoked access to the Google Sheets API calls used by the Chinese snoops for command-and-control (C2) purposes.
  • "As of Feb. 18, GTIG's investigation confirmed that UNC2814 has impacted 53 victims in 42 countries across four continents, and identified suspected infections in at least 20 more countries," the threat hunters said in the report.
  • The security sleuths uncovered this campaign during a Mandiant investigation into suspicious activity in a customer's environment. Specifically, this binary, "/var/tmp/xapt," initiated a shell with root privileges, and then executed a command to retrieve the system’s user and group identifiers to confirm it had successfully escalated to root.
  • Google suspects the payload was named xapt, after the command-line tool in Debian and Ubuntu systems, to make it easier to hide in the victim's environment and look like a legitimate tool.
  • The intruders also used a novel backdoor, Gridtide, that abuses legitimate Google Sheets API functionality to disguise its command-and-control (C2) traffic. Mandiant has linked Gridtide to UNC2814.
  • The intruders also used a novel backdoor, Gridtide, that abuses legitimate Google Sheets API functionality to disguise its command-and-control (C2) traffic. Mandiant has linked Gridtide to UNC2814.
  • After breaking in, the spies moved laterally via SSH, performed reconnaissance, escalated privileges, and then deployed the Gridtide backdoor using a command, "nohup ./xapt," that allows it to run even after the user closes the session.
  • "Subsequently, SoftEther VPN Bridge was deployed to establish an outbound encrypted connection to an external IP address," the threat intel team wrote. "VPN configuration metadata suggests UNC2814 has been leveraging this specific infrastructure since July 2018."
  • The C-based backdoor uses Google Sheets as its C2 platform, can execute shell commands, and can upload and download files. In this case, the attacker deployed Gridtide on an endpoint containing personal information - likely to identify and track persons of interest - including full name, phone number, date and place of birth, voter ID and national ID numbers.
all 11 comments
sorted by: hot top controversial new old
[–] voodooattack@lemmy.world 4 points 5 hours ago

Damn. How long were those sheets?

[–] Melusine@tarte.nuage-libre.fr 11 points 8 hours ago (1 children)

Can we do tge same for NSA, CIA FBI, ICE and all the other (and kill palantir in the process) if spying is wrong ? Or is it just that the US empire of doom is good in doing so ?

[–] XLE@piefed.social -2 points 6 hours ago (1 children)

What are your thoughts on the Chinese state-sponsored espionage group from this post?

[–] Melusine@tarte.nuage-libre.fr 8 points 5 hours ago (2 children)

Same shit as any state sponsored espionage, we would all be better getting rid of them , including CLOUD, FISA and PATRIOT acts.

[–] XLE@piefed.social -1 points 5 hours ago

I saw when you said America Bad the first time too. Do you have any insights about the contents of this post?

[–] treadful@lemmy.zip 6 points 9 hours ago (1 children)

I was confused at first, thinking that somehow Sheets' systems were compromised.

The C-based backdoor uses Google Sheets as its C2 platform, can execute shell commands, and can upload and download files.

Instead, Sheets is just the command and control relay.

Which is pretty weird, though.

[–] PabloSexcrowbar@piefed.social 6 points 5 hours ago

I dunno, it's very innocuous-looking from a traffic inspection standpoint, while also being a resilient way of storing an equally-innocuous-looking CSV. Kinda clever, if you ask me.

[–] Kailn@lemmy.myserv.one 2 points 12 hours ago

Peviously posted on an another lemmy community.