In a technical analysis, Google Cloud reported that a suspected Chinese threat actor used Google Sheets API calls to hide command-and-control activity in a campaign that affected 53 organisations in 42 countries and has been active since at least 2023.
KEY FACTS
- Incident 53 organisations in 42 countries impacted
- Malware GRIDTIDE backdoor abused Google Sheets API for command-and-control
- Targets telecom firms and government agencies
- Disruption cloud projects used for C2 disabled and domains sinkholed
The campaign has been active since at least 2023 and impacted 53 organisations in 42 countries, with suspected infections in at least 20 additional countries.
The actor deployed a C based backdoor named GRIDTIDE that authenticates to a Google Service Account using a hardcoded private key. On launch the malware deletes rows 1 to 1000 and columns A to Z in a spreadsheet then records host details in cell V1 and polls cell A1 for commands.
GRIDTIDE supports commands to execute Base64 encoded bash commands, upload files using A2:A
Coordinated action terminated cloud projects tied to the actor, disabled known infrastructure, revoked Sheets API access, and sinkholed current and historical domains. One infected system contained sensitive PII but direct data exfiltration was not observed. The actor is expected to resume activity with new infrastructure.
WHY IT MATTERS
Abuse of widely used SaaS APIs can blend malicious traffic with normal operations and complicate detection. The technical analysis includes detection rules and indicators of compromise for affected organisations.