UNC2814 global cyber-espionage campaign disrupted
Campaign
Summary
Hide ▲
Show ▼
The UNC2814 cyber-espionage campaign was disrupted, cutting off a long-running operation that had reached 53 victims in 42 nations and targeted government and telecommunications organizations worldwide. The group had been active since 2017 and used GridTide with Google Sheets as a command-and-control channel. Google terminated attacker-controlled cloud projects, disabled attacker accounts, and revoked abused API access, reducing the operator's ability to sustain access.
Related Happenings
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical Analysis
First: 21.05.2026 23:07
Last: 21.05.2026 23:07
Sources 1
About this happening:
Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical AnalysisAbout this happening: Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical Analysis
First: 23.04.2026 13:00
Last: 23.04.2026 13:00
Sources 1
About this happening:
**Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical AnalysisAbout this happening: **Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
Google Cloud environment entry vectors shift from credentials to third-party vulnerabilities in H2 2025
Target Trend
First: 10.03.2026 17:30
Last: 10.03.2026 17:30
Sources 1
About this happening:
Threat actors targeting **Google Cloud environments** shifted in **H2 2025** from credential abuse to **unpatched third-party vulnerabilities**, materially changing initial-access...
Google Cloud environment entry vectors shift from credentials to third-party vulnerabilities in H2 2025
Target TrendAbout this happening: Threat actors targeting **Google Cloud environments** shifted in **H2 2025** from credential abuse to **unpatched third-party vulnerabilities**, materially changing initial-access...
Google Looker Studio cross-tenant SQL injection flaws SQL injection flaw
Vulnerability
First: 10.03.2026 15:20
Last: 10.03.2026 15:20
Sources 1
About this happening:
Researchers disclosed **nine cross-tenant vulnerabilities** in **Google Looker Studio** that could let attackers run **arbitrary SQL queries** on victims' databases and exfiltrate...
Google Looker Studio cross-tenant SQL injection flaws SQL injection flaw
VulnerabilityAbout this happening: Researchers disclosed **nine cross-tenant vulnerabilities** in **Google Looker Studio** that could let attackers run **arbitrary SQL queries** on victims' databases and exfiltrate...
Cloud environments third-party flaw exploitation wave
Exploitation Wave
First: 09.03.2026 23:45
Last: 09.03.2026 23:45
Sources 1
About this happening:
**Threat actors** are rapidly weaponizing **newly disclosed third-party vulnerabilities** to reach **cloud environments**, compressing the exploitation window from weeks to days a...
Cloud environments third-party flaw exploitation wave
Exploitation WaveAbout this happening: **Threat actors** are rapidly weaponizing **newly disclosed third-party vulnerabilities** to reach **cloud environments**, compressing the exploitation window from weeks to days a...
Timeline
-
26.02.2026 14:09 2 articles · 3mo ago
Google discloses and disrupts UNC2814 campaign
Initial DisclosureGoogle and international partners disrupted UNC2814, a China-linked cyber-espionage operation active since 2017 that targeted governments and global telecommunications organizations across Africa, Asia and the Americas. Google said the group used the GridTide backdoor to execute arbitrary shell commands, upload and download files, and use Google Sheets as a command-and-control channel; Google also terminated attacker-controlled Google Cloud Projects, disabled attacker accounts, and revoked abused Google Sheets API access.
Show sources
- Google Disrupts ‘Prolific’ and ‘Elusive’ China-Linked Global Hacking Campaign — www.infosecurity-magazine.com — 26.02.2026 14:09
- Google Disrupts ‘Prolific’ and ‘Elusive’ China-Linked Global Hacking Campaign — www.infosecurity-magazine.com — 26.02.2026 14:09