According to reports from Reuters and Shangbao, U.S. tech company Google announced on Wednesday, Feb. 25 that it successfully disrupted and dismantled a hacker network believed to be linked to the Chinese Communist Party (CCP), which had infiltrated at least 53 entities across 42 countries. The announcement was made public by Google’s threat intelligence team.
Google stated that the hacker group is identified in the security community as UNC2814, also known as “Gallium.” Over the past decade, the group has conducted cyber intrusions across multiple industries, targeting mainly government agencies and telecom operators. Google’s threat intelligence team noted that these attacks represent a “broad surveillance system” used to monitor or collect data from organizations and individuals worldwide.
To stop the network operation, Google and unnamed partners took several technical measures, including terminating Google Cloud projects controlled by the group, identifying and shutting down its internet infrastructure, and deactivating multiple accounts used by the hackers. Google noted that the hackers used these accounts to access services such as Google Sheets to evade detection and blend into normal traffic, but no Google products were actually damaged.
A backdoor program named ‘GRIDTIDE’
Charlie Snyder, senior manager of Google’s threat intelligence team, said that at the time the operation was disrupted, the hacker group had successfully accessed systems of at least 53 entities in 42 countries. Google has not released the names or industries of these institutions, but in one case, the group installed a backdoor program named “GRIDTIDE” by Google in systems containing large amounts of sensitive personal data, including full names, phone numbers, birth dates, birthplaces, voter ID numbers, and national ID numbers.
Google also stated that the hackers’ use of Google Sheets was intended to disguise malicious activities as normal access, making detection by security systems more difficult. Google emphasized that this does not mean its products were compromised.
Success
You are now signed up for our newsletter
Success
Check your email to complete sign up
In action against the group, Google and partners shut down key infrastructure and disabled associated attacks, effectively dismantling the organization’s global operations. According to Google, the network operation may also have posed potential risks to at least 22 other countries at the time of disruption, though these have not been fully confirmed.
Analysis by Reuters and other media suggests that Google’s action represents a relatively large-scale defensive response to cybersecurity threats, involving networks across multiple countries and industries. While Google and partners have not publicly disclosed the list of targeted organizations, the disclosure highlights global attention on cybersecurity issues, especially data protection and network security in government and telecom sectors amid digital transformation.
John Hultquist, one of the leaders of Google’s threat intelligence team, stated that the hacker group possesses extensive surveillance and access capabilities, conducting long-term targeted operations globally, including using legitimate cloud platforms to access data and potentially steal information. Such large-scale cyber operations often involve cross-border data flows and communication infrastructure in multiple countries.
Different from other CCP-linked operations
Google noted that the disrupted operation differs from a previously high-profile, also CCP-linked cyber operation targeting the telecom industry, known in the security community as “Salt Typhoon,” which the U.S. government believes was linked to the CCP and targeted hundreds of U.S. institutions and prominent political figures. Google said the two operations represent separate cyber threat activities.
Google’s threat intelligence report shows that the hacker group’s activity spans nearly a decade, starting in 2017, targeting government agencies and telecom enterprises. Each operation often uses multiple technical methods to conceal its behavior, attempting to steal data and conduct surveillance through legitimate-looking cloud service access paths.
Google stated that its action aims to identify and terminate malicious cyber activity, emphasizing that cybersecurity requires global cooperation and strengthened monitoring and defense against cross-border hacking. The company’s notice also reminds businesses and government agencies to heighten awareness of similar threats and adopt multi-layered security measures to mitigate risks from cyberattacks.
So far, Google has not released a more detailed public report on this incident, but ongoing monitoring of cybersecurity and hacker threats shows that with expanding global data interactions, major tech companies and national security agencies are continuously strengthening threat intelligence cooperation to prevent and block potential cross-border cyberattacks.
By Tian Jingxin
