Another Tentacle of China’s Cyber Espionage Program Disrupted as Google Takes Down GRIDTIDE Infrastructure

Even the best of security experts aren’t entirely sure how many cyber espionage teams the Chinese government has roaming the internet, but a common estimate is at least a little over 200. Google and Mandiant bring news of yet another group that was operating largely below the radar, yet having great success compromising government and telecoms victims throughout the world since at least 2017.

This group (UNC2814) was noteworthy not just for its sustained success without drawing much high-profile attention, but also for its creative use of Google Sheets to mask its command-and-control communications. Google has issued assurances that the Sheets API is not vulnerable, but the attackers were able to find very clever ways to make use of its legitimate functions to complement and cloak attacks.

Unusual Chinese cyber espionage team hid hacking activity as normal business traffic

In terms of penetrating victims, each of the Chinese cyber espionage teams is fairly predictable: they like to go for low-visibility edge devices with known vulnerabilities that have not been patched, and apparently pour a lot of time and money into combing for them. Where they get more creative and individualized is when they get inside the walls.

In this case, Google’s Threat Intelligence team documents some of the group’s tactics by using an example of a compromised CentOS server discovered by Mandiant. The group deploys its signature GRIDTIDE backdoor with a 16-byte cryptographic key used to decrypt Google Drive configuration data. This links the malware to the service account hosting UNC2814’s Google Sheets command-and-control document which uses the Google Service Account for API authentication. This traffic is then routed through a number of different legitimate rented cloud services to make it look like everyday business activity.

Interestingly, this case study does not include observation of the attacker exfiltrating sensitive data; in fact, the researchers say they did not directly observe this anywhere. The hackers parked GRIDTIDE on a server known to contain a lot of sensitive PII, however, and other aspects of the attack point to similar Chinese cyber espionage campaigns designed for “low and slow” data theft over extended periods of time.

No new vulnerabilities in Google products discovered

Two other important notes come out of the report: the hackers were not abusing any vulnerabilities in Google products for this campaign, and they also appear to be distinct from any of the other big Chinese cyber espionage teams (such as the assorted “Typhoon” groups).

In total the gang racked up suspected intrusions in about 70 nations, with 53 confirmed breaches during operations running from 2018 to last year. Disproportionately these targets appear to be government and telecommunications firms, another clear sign of Chinese cyber espionage.

So is the GRIDTIDE gang no longer a threat? Google says that it took out the accounts it was abusing as well as all of its known infrastructure, something that could set it back for quite some time. However, as with all of these groups, without arrests one should expect them to be back in some period ranging from months to years.