Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UNC2814 multi-country cyber espionage campaign

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The UNC2814 espionage campaign was disrupted after it was tied to breaches at 53 organizations across 42 countries, reducing infrastructure used for long-term access and data collection. The group had also been linked to infections in more than 20 additional nations and to operations spanning over 70 countries. Its tradecraft relied on Google Sheets API-based command-and-control, GRIDTIDE backdoors, and covert lateral movement inside victim environments. The disruption matters because the activity focused on governments and telecommunications organizations across Africa, Asia, and the Americas.

Related Happenings

Unit 42 Zealot proves autonomous cloud attack chaining in GCP

Technical Analysis
First: 23.04.2026 13:00 Last: 23.04.2026 13:00 Sources 1

About this happening: **Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...

Open Happening

TA416 European government espionage campaign

Campaign
First: 01.04.2026 15:05 Last: 01.04.2026 15:05 Sources 1

About this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...

Latest development: 03.04.2026 20:34

TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.

Open Happening

UNC4899 cryptocurrency cloud compromise campaign

Campaign
First: 09.03.2026 16:50 Last: 09.03.2026 16:50 Sources 1

About this happening: The **UNC4899** campaign against a **cryptocurrency organization** in **2025** escalated into a **cloud compromise** that enabled theft of **millions of dollars** in digital asset...

Open Happening

MuddyWater U.S. network intrusion campaign targeting banks, airports, and a software company arm

Campaign
First: 06.03.2026 12:23 Last: 06.03.2026 12:23 Sources 1

About this happening: **MuddyWater (Seedworm)** is running a **state-linked intrusion campaign** that has embedded itself in **U.S. banks, airports, a non-profit, and an Israeli software company arm**,...

Open Happening

UNC2814 global cyber-espionage campaign disrupted

Campaign
First: 26.02.2026 14:09 Last: 26.02.2026 14:09 Sources 1

About this happening: The **UNC2814** cyber-espionage campaign was disrupted, cutting off a long-running operation that had reached **53 victims in 42 nations** and targeted **government** and **teleco...

Open Happening

Timeline

  1. 25.02.2026 19:46 2 articles · 3mo ago

    UNC2814 infrastructure disruption disclosed

    Initial Disclosure

    Google disclosed that it worked with industry partners to disrupt infrastructure used by UNC2814, a suspected China-nexus cyber espionage group tied to breaches at at least 53 organizations across 42 countries. Google said the group used GRIDTIDE backdoors, Google Sheets API-based command-and-control, service-account lateral movement over SSH, living-off-the-land binaries, and SoftEther VPN Bridge, while also noting suspected links to more than 20 additional nations, confirmed or suspected activity in over 70 countries, formal victim notifications, support for verified compromises, and no observed data exfiltration during the campaign.

    Show sources
    Open in new tab