Google disrupts UNC2814 GridTide espionage campaign
Context and chronology
A coordinated disruption led by Google and industry partners interrupted an extended espionage operation attributed to the cluster labeled UNC2814. The intrusion set relied on trusted cloud primitives — notably collaboration objects and spreadsheet SaaS APIs — to carry command-and-control and staging traffic, enabling operators to blend malicious signals with normal enterprise workflows. At the center of the activity is a backdoor researchers have dubbed GridTide, a loader and remote shell that leverages benign‑appearing cloud endpoints to execute commands and transfer staged data.
Investigators tied artifacts and platform telemetry to operations that targeted principally telecom and public‑sector networks and found endpoints containing personal identifiers consistent with human‑targeted intelligence collection. Defenders performed account revocations, removed cloud assets, sinkholed domains and notified victims while publishing indicators of compromise to accelerate detection across operator networks. Those remediation actions are comparable to other recent Google‑led takedowns that dismantled large proxy meshes and abusive device fleets; in each case, cutting infrastructure reduced near‑term capabilities but left strategic challenges unresolved.
Reporting of the campaign’s scope varies: the disruption is associated with at least 53 confirmed organizational targets across 42 countries in the provider brief, while other contemporaneous assessments of related espionage activity have cited campaigns spanning 37 countries — a difference that appears to stem from divergent counting methods (confirmed victims versus broader suspected exposure) and differing observation windows. Regardless of the precise tally, the incident underscores a broader operational pivot in which adversaries combine cloud‑hosted C2, long‑lived implants, and supply‑chain or sideloaded vectors to preserve persistent access and to make malicious actions resemble routine enterprise traffic.
The takedown’s immediate effect is tangible: it denies UNC2814 months of assembled infrastructure and complicates their ability to reach implanted footholds. However, the remedies do not eliminate the underlying tradecraft; defenders must now enhance API telemetry, fuse cross‑service signals, and adopt identity‑first detection to spot abuse hidden inside legitimate workflows. Platform owners and registrars played critical roles in the disruption, reinforcing that cross‑sector collaboration — from cloud providers to ISPs and registrars — is repeatedly decisive in dismantling distributed control fabrics. For a technical writeup from the lead provider, see the Google Threat Intelligence blog: Disrupting GridTide.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
Google GTIG Disrupts IPIDEA Residential Proxy Network in the United States
Google's Threat Intelligence Group, allied with infrastructure partners, dismantled the IPIDEA residential proxy operation that hijacked Android phones and Windows PCs to relay adversary traffic. The takedown targeted command-and-control points, shut down domains and updated detection signals to hinder future reuse of the same toolset.
Global cyber-espionage campaign breaches sensitive targets in 37 countries
A coordinated, long-duration hacking campaign has established persistent access to high-value government and diplomatic networks in 37 countries, prioritizing intelligence collection over immediate disruption. The operation leverages polymorphic tooling, credential harvesting and social-engineering techniques that complicate detection and raise urgent needs for identity-focused defenses and cross-border incident coordination.
Google flags intensifying cyber campaigns against the global defense supply chain
Google’s Threat Intelligence Group alerts that coordinated cyber campaigns against firms and personnel in the defense industrial base are increasing, combining long‑dwell implants, commodity exploit reuse, and LLM-assisted social engineering. The advisory urges identity‑first controls, extended cross‑domain telemetry to suppliers and staff, hardware-backed MFA and governed agentic automation to shorten attackers’ windows and blunt supply‑chain impact.
Dell RecoverPoint Zero-Day Exploited by China-Linked Cyberespionage Group
A China-linked espionage cluster abused a hardcoded-credential flaw in Dell RecoverPoint for Virtual Machines to escalate privileges, move laterally, and deploy bespoke malware; Dell released patch 6.0.3.1 HF1 and vendors published IoCs and behavioral indicators. The incident underscores a broader trend of rapid weaponization of management and recovery tooling, forcing organisations to pair urgent patching with compensating network controls and extended telemetry into virtualization stacks.
Google: Multiple APTs and crime syndicates widely exploited a critical WinRAR flaw
Google Threat Intelligence Group says a high-severity WinRAR vulnerability (CVE-2025-8088) has been actively abused for months by both nation-state actors and financially motivated groups. Attackers leveraged crafted RAR archives and hidden alternate data streams to place persistent payloads — affecting government, military, technology, travel, and banking targets globally.
Google warns of large-scale prompting campaign to clone Gemini
Google disclosed that actors prompted its Gemini model at scale to harvest outputs for use in building cheaper imitations, with at least one campaign issuing over 100,000 queries. The company frames the activity as theft of proprietary capabilities and signals a rising threat vector for LLM operators, with technical and legal consequences ahead.
India targeted by Pakistan‑linked APT36 in coordinated three‑pronged RAT campaign
A Pakistan‑linked actor tracked as APT36 is conducting coordinated espionage against Indian government and defense networks using three distinct RAT families across Windows and Linux hosts, emphasizing stealthy persistence and in‑memory execution. The tradecraft mirrors broader long‑duration intrusion campaigns—including session orchestration and social‑engineering techniques—so defenders should prioritize cross‑domain telemetry, identity‑first controls, and rapid session protections to detect and disrupt access.
Intel and Google uncover critical flaws in TDX after joint security review
A joint security review by Google and Intel found multiple vulnerabilities and dozens of bugs in Intel's Trust Domain Extensions (TDX), including a flaw enabling full compromise of a protected virtual machine during migration. Intel has issued patches and published an advisory after an extensive technical report and five months of collaborative analysis.