"The attacker was using API calls to communicate with SaaS apps as command-and-control (C2) infrastructure to disguise their malicious traffic as benign, a common tactic used by threat actors when attempting to improve the stealth of their intrusions. Rather than abusing a weakness or security flaw, attackers rely on cloud-hosted products to function correctly and make their malicious traffic seem legitimate."
"The backdoor leverages Google Sheets as a high-availability C2 platform, treating the spreadsheet not as a document, but as a communication channel to facilitate the transfer of raw data and shell commands."
"The company's researchers observed GridTide on an endpoint containing personal information such as names, dates of birth, phone numbers, voter IDs, and national IDs. The targeting of this type of data suggests that the hackers may have been trying to track and monitor individuals of interest."
Google's Threat Intelligence Group and Mandiant identified UNC2814, a China-linked threat actor responsible for one of the most significant cyberespionage campaigns in recent years. Active since at least 2017, the group has targeted at least 53 organizations across 42 countries in the Americas, Asia, and Africa, with suspicion of targeting 20 additional countries. The attackers employed sophisticated techniques including API calls to legitimate SaaS applications to disguise malicious traffic as benign communication. They deployed a new backdoor called GridTide that enables shell command execution and file transfers. GridTide notably uses Google Sheets as a command-and-control platform, treating the spreadsheet as a communication channel. Compromised endpoints contained sensitive personal information including names, dates of birth, phone numbers, voter IDs, and national IDs, suggesting targeting of specific individuals for monitoring and tracking purposes.
#cyberespionage #china-linked-threat-actor #command-and-control-infrastructure #gridtide-backdoor #telecommunications-targeting
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]