{"id":191657,"date":"2026-02-25T11:10:00","date_gmt":"2026-02-25T16:10:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/25\/china-linked-hackers-breached-dozens-of-telecoms-government-agencies\/"},"modified":"2026-02-28T16:10:23","modified_gmt":"2026-02-28T21:10:23","slug":"china-linked-hackers-breached-dozens-of-telecoms-government-agencies","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/25\/china-linked-hackers-breached-dozens-of-telecoms-government-agencies\/","title":{"rendered":"China-linked hackers breached dozens of telecoms, government agencies"},"content":{"rendered":"<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/china-cyberattacks-telecommunications-google-sheets\/813082\/\">China-linked hackers breached dozens of telecoms, government agencies<\/a><\/p>\n<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/china-cyberattacks-telecommunications-google-sheets\/813082\/\">https:\/\/www.cybersecuritydive.com\/news\/china-cyberattacks-telecommunications-google-sheets\/813082\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-25 11:10:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.cybersecuritydive.com\">www.cybersecuritydive.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>        Listen to the article<br \/>\n        3 min<\/p>\n<p>            This audio is auto-generated. Please let us know if you have feedback.<\/p>\n<p>Hackers working for the Chinese government broke into more than 50 telecommunications companies and government agencies in 42 countries, in a campaign that exploited cloud platforms\u2019 legitimate features to hide the attackers\u2019 tracks.<br \/>\n\u201cThe attacker was using API calls to communicate with [software-as-a-service] apps as command-and-control (C2) infrastructure to disguise their malicious traffic as benign,\u201d researchers at Google\u2019s Threat Intelligence Group and Mandiant said in a report on Wednesday.<br \/>\nGoogle said the \u201cprolific, elusive\u201d China-linked hacker team, which it tracks as UNC2814, \u201chas a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas.\u201d<br \/>\nThe group breached 53 organizations worldwide as part of the latest campaign, a massive scope that Google said likely reflected \u201ca decade of concentrated effort.\u201d<\/p>\n<p>\u201cProlific intrusions of this scale are generally the result of years of focused effort and will not be easily re-established,\u201d Google researchers wrote. \u201cWe expect that UNC2814 will work hard to re-establish their global footprint.\u201d<br \/>\nUNC2814, which is distinct from the threat actor responsible for Beijing\u2019s Salt Typhoon campaign, \u201chas a history of gaining entry by exploiting and compromising web servers and edge systems,\u201d Google said. Researchers have tracked its activities since 2017.<br \/>\nCommandeering a collaboration platform<br \/>\nIn the latest operation \u2014 which Google and its partners disrupted last week by seizing the attackers\u2019 infrastructure \u2014 the UNC2814 hackers deployed backdoor malware dubbed \u201cGRIDTIDE\u201d that they controlled through an elaborate abuse of the Google Sheets API.<br \/>\nGRIDTIDE looked for commands in cell A1 and then overwrote the cell\u2019s data with a status report on its activities, according to Google\u2019s report. The hackers used nearby cells to transfer additional tools to victim machines and exfiltrate files from them.<br \/>\n\u201cOnce the Sheet is prepared, the backdoor conducts host-based reconnaissance,\u201d Google said, including collecting information about the target machine, its user, and its network environment. \u201cThis information is then exfiltrated and stored in cell V1 of the attacker-controlled spreadsheet.\u201d<br \/>\nThe campaign\u2019s clever techniques and widespread impact highlight \u201cthe serious threat facing telecommunications and government sectors, and the capacity for these intrusions to evade detection by defenders,\u201d Google warned.<\/p>\n<p>Although the campaign is distinct from Salt Typhoon, Google said it seemed to have a similar goal, describing it as \u201cconsistent with cyber espionage activity in telecommunications, which is primarily leveraged to identify, track, and monitor persons of interest.\u201d<br \/>\nKnocking the attackers offline<br \/>\nIn response to the hacking campaign, Google disabled the attackers\u2019 cloud platform access, and the company and its partners sinkholed the threat actor\u2019s web domains.<br \/>\n\u201cWe terminated all Cloud Projects controlled by the attacker, effectively severing their persistent access to environments compromised by the GRIDTIDE backdoor,\u201d the researchers wrote.<br \/>\nGoogle also released indicators of compromise associated with infrastructure the group has been using since 2023, updated its signature-based malware detections to spot GRIDTIDE and provided search queries that its cloud security customers could use to scan for potential compromises in their environments.<br \/>\nThe company said it had notified victims of the campaign.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>China-linked hackers breached dozens of telecoms, government agencies https:\/\/www.cybersecuritydive.com\/news\/china-cyberattacks-telecommunications-google-sheets\/813082\/ Publish Date: 2026-02-25 11:10:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":191658,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/imgproxy.divecdn.com\/Sez0HVasbRkW2JMKJ1-AYOLMH4htIKCTVdLPPqE2s8Y\/g:ce\/rs:fit:770:435\/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS9HZXR0eUltYWdlcy0yMjA0MjYwNzIzLmpwZw==.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[35,32,34],"class_list":["post-191657","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-hacker","tag-malware","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/191657"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=191657"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/191657\/revisions"}],"predecessor-version":[{"id":191659,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/191657\/revisions\/191659"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/191658"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=191657"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=191657"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=191657"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}