Google said Wednesday that it worked with industry partners to disrupt the infrastructure of a suspected China-aligned cyber espionage group tracked as UNC2814, which infiltrated at least 53 organizations in 42 countries.
“This prolific and elusive threat actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas,” Google Threat Intelligence Group (GTIG) and Mandiant said in a report released today.
UNC2814 is also suspected of being linked to additional infections in more than 20 other countries. The tech giant, which has been tracking threat actors since 2017, has been observed using API calls as a command-and-control (C2) infrastructure to communicate with software-as-a-service (SaaS) apps. The aim is to disguise malicious traffic as harmless, it added.
At the center of the hacking group’s efforts is a new backdoor called GRIDTIDE that exploits the Google Sheets API as a communication channel to spoof C2 traffic and facilitate the transfer of raw data and shell commands. This is a C-based malware that supports file upload/download and execution of arbitrary shell commands.
Exactly how UNC2814 gained initial access remains a subject of investigation, but the group is said to have a history of exploiting and compromising web servers and edge systems.
Attacks launched by threat actors leverage service accounts to move laterally within the environment via SSH. It also uses Living-off-the-land (LotL) binaries to perform reconnaissance, escalate privileges, and establish backdoor persistence.
“To achieve persistence, the attacker created a service for the malware in /etc/systemd/system/xapt.service, and once enabled, new instances of the malware were spawned from /usr/sbin/xapt,” Google explained.
Another highlight is the introduction of SoftEther VPN Bridge for establishing outbound encrypted connections to external IP addresses. It is worth mentioning here that multiple Chinese hacking groups are involved in the SoftEther VPN exploit.
There is evidence that GRIDTIDE was dropped on endpoints containing personally identifiable information (PII), consistent with a cyber espionage campaign focused on monitoring persons of interest. However, Google said it was not aware of any data exfiltration occurring during the campaign.
GRIDTIDE execution lifecycle
GRIDTIDE’s C2 mechanism includes a cell-based polling mechanism where specific roles are assigned to specific spreadsheet cells to enable two-way communication.
A1, polls for the attacker’s command and overwrites it with a status response (such as SCR or Server-Command-Success). A2-An transfers data such as command output and files. V1, stores system data from the victim endpoint.
As part of its actions, Google said it shut down all Google Cloud projects controlled by the attackers, disabled all known UNC2814 infrastructure, and cut off access to accounts controlled by the attackers and Google Sheets API calls that the attackers were leveraging for command and control (C2) purposes.
The tech giant described UNC2814 as one of the “most widespread and impactful campaigns” it has encountered in recent years, adding that it has issued formal victim notifications to each target and is actively supporting organizations confirmed to have been compromised by this threat.
The discovery is one of many simultaneous efforts by Chinese nation-state groups to integrate themselves into networks for long-term access. This development also highlights that the network edge continues to bear the brunt of Internet-wide exploitation attempts, with threat actors frequently exploiting vulnerabilities and misconfigurations in such appliances as common entry points into corporate networks.
These appliances have become attractive targets in recent years, as they typically lack endpoint malware detection capabilities but provide direct network access and pivot points to internal services if compromised.
“The global reach of UNC2814, evidenced by confirmed or suspected activity in more than 70 countries, highlights the serious threats facing communications and government sectors and the ability of these intrusions to evade detection by defenders,” Google said.
“Major intrusions of this magnitude are typically the result of years of intensive efforts and are not easily re-established. We look forward to working hard for UNC2814 to re-establish its global presence.”
Source link
