Google has uncovered a large-scale espionage operation that used Google Sheets as a covert tool to steal sensitive data from telecommunications and government networks in over 70 countries. The campaign, which spanned four continents, revealed how everyday software can be repurposed for advanced cyber intrusions.
The threat actor, identified as UNC2814, deployed a C-based backdoor to compromise systems, storing stolen information in specific cells of Google Sheets. This method allowed the attackers to execute remote commands, upload files, and exfiltrate data while mimicking legitimate traffic. Google's Threat Intelligence Group (GTIG) discovered and disrupted the operation last week.
Once a system was infected, the backdoor would delete itself but retain access through a 16-byte cryptographic key stored separately on the host. This persistence technique enabled long-term control while evading detection. The exfiltrated data included detailed system information such as usernames, endpoint names, operating systems, local IP addresses, and environmental settings like language and time zone.
Google's analysis indicates that UNC2814 used this access to collect call data records, SMS messages, and potentially monitor individuals through lawful intercept capabilities. While no direct exfiltration of sensitive data was observed during this campaign, historical patterns suggest such operations often lead to significant breaches.
The global scale of the operation—targeting telecom and government sectors in multiple regions—highlights the sophistication and resources required for such intrusions. Google estimates that rebuilding a network of this scale would take years, making the disruption a substantial setback for the threat actor. The company expects UNC2814 to attempt recovery but acknowledges the campaign's infrastructure has been severely weakened.
This incident underscores the evolving tactics employed by cyber threat actors to evade detection and maintain long-term access in compromised systems. The use of Google Sheets as a command-and-control platform serves as a stark reminder of how everyday tools can be repurposed for malicious activities, posing significant risks to global cybersecurity.
