China-linked hackers used Google Sheets to spy on telecoms and governments across 42 countries
Summary
A China-linked espionage group, UNC2814, has been using Google Sheets as a command and control server to spy on telecom providers and government agencies across 42 countries. Google's Threat Intelligence Group (GTIG) and Mandiant disrupted the group's activities, which involved using Google Sheets API functionality to send commands and receive stolen data.
IFF Assessment
The use of Google Sheets as a covert command and control channel by a China-linked espionage group presents a novel and difficult-to-detect threat for network defenders.
Defender Context
Defenders need to be aware of the potential for legitimate cloud services to be abused as command and control infrastructure. Monitoring network traffic for unusual API calls to services like Google Sheets, especially from internal hosts, is crucial. This also highlights the importance of endpoint detection and response (EDR) tools that can identify malicious behavior even when it blends in with legitimate network activity. Organizations should also review and restrict unnecessary API access.