UNC2814 global cyber-espionage campaign disrupted
Campaign
Summary
Hide ▲
Show ▼
The UNC2814 cyber-espionage campaign was disrupted, cutting off a long-running operation that had reached 53 victims in 42 nations and targeted government and telecommunications organizations worldwide. The group had been active since 2017 and used GridTide with Google Sheets as a command-and-control channel. Google terminated attacker-controlled cloud projects, disabled attacker accounts, and revoked abused API access, reducing the operator's ability to sustain access.
Related Happenings
Google Cloud Vertex AI SDK Python predictable bucket squatting security flaw
Vulnerability
H score1
First: 16.06.2026 22:05
Last: 16.06.2026 22:05
Sources 1
About this happening:
**Google Cloud Vertex AI SDK for Python** had a **predictable temporary bucket** flaw that let an attacker hijack model uploads and reach **code execution** inside Google's servin...
Google Cloud Vertex AI SDK Python predictable bucket squatting security flaw
VulnerabilityAbout this happening: **Google Cloud Vertex AI SDK for Python** had a **predictable temporary bucket** flaw that let an attacker hijack model uploads and reach **code execution** inside Google's servin...
UNC6508 China-linked REDCap espionage campaign
Campaign
H score39
First: 15.06.2026 17:00
Last: 15.06.2026 17:00
Sources 1
About this happening:
**UNC6508** ran a **China-linked espionage campaign** against **exposed REDCap servers** used by **North American medical, academic, and military research networks**. The operatio...
UNC6508 China-linked REDCap espionage campaign
CampaignAbout this happening: **UNC6508** ran a **China-linked espionage campaign** against **exposed REDCap servers** used by **North American medical, academic, and military research networks**. The operatio...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical Analysis
H score16
First: 21.05.2026 23:07
Last: 21.05.2026 23:07
Sources 1
About this happening:
Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical AnalysisAbout this happening: Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical Analysis
H score28
First: 23.04.2026 13:00
Last: 23.04.2026 13:00
Sources 1
About this happening:
**Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical AnalysisAbout this happening: **Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
Google Cloud environment entry vectors shift from credentials to third-party vulnerabilities in H2 2025
Trend
H score38
First: 10.03.2026 17:30
Last: 10.03.2026 17:30
Sources 1
About this happening:
Threat actors targeting **Google Cloud environments** shifted in **H2 2025** from credential abuse to **unpatched third-party vulnerabilities**, materially changing initial-access...
Google Cloud environment entry vectors shift from credentials to third-party vulnerabilities in H2 2025
TrendAbout this happening: Threat actors targeting **Google Cloud environments** shifted in **H2 2025** from credential abuse to **unpatched third-party vulnerabilities**, materially changing initial-access...
Timeline
-
26.02.2026 14:09 2 articles · 4mo ago
Google discloses and disrupts UNC2814 campaign
Initial DisclosureGoogle and international partners disrupted UNC2814, a China-linked cyber-espionage operation active since 2017 that targeted governments and global telecommunications organizations across Africa, Asia and the Americas. Google said the group used the GridTide backdoor to execute arbitrary shell commands, upload and download files, and use Google Sheets as a command-and-control channel; Google also terminated attacker-controlled Google Cloud Projects, disabled attacker accounts, and revoked abused Google Sheets API access.
Show sources
- Google Disrupts ‘Prolific’ and ‘Elusive’ China-Linked Global Hacking Campaign — www.infosecurity-magazine.com — 26.02.2026 14:09
- Google Disrupts ‘Prolific’ and ‘Elusive’ China-Linked Global Hacking Campaign — www.infosecurity-magazine.com — 26.02.2026 14:09