Spreadsheets represent an everyday tool in contemporary workplaces, often overlooked in daily routines. Yet, as worldwide networks become ever more linked, even routine applications can serve as entry points for threats. Google has revealed how it halted an extensive hacking effort that relied on its Sheets platform to covertly monitor individuals.
In collaboration with Mandiant, acquired by Google in 2022, the company's Threat Intelligence Group has identified the perpetrators as UNC2814, an entity tied to China with nearly ten years of activity. The analysis indicates that the attackers built a covert access mechanism via the Google Sheets API, enabling the gathering of user identifiers, device names, network locations, and additional data. This operation resembled targeted intelligence gathering by a government rather than outright data theft or disruption.
Dubbed GRIDTIDE by researchers, this setup has been active starting in 2023, affecting confirmed breaches across 42 countries involving 53 entities, alongside suspicions of involvement in 20 more nations. Google attributes the operation's broad reach to years of dedicated work, primarily aimed at sectors like telecommunications and public administration.
The network now stands dismantled, rendered ineffective according to the Threat Intelligence Group's assessment. Google has terminated the accounts responsible for deploying GRIDTIDE, along with related web domains and supporting systems, and has directly informed those impacted.