Google announced on Wednesday that it disrupted a long-running cyber-espionage operation linked to China, impacting at least 53 organizations across 42 countries. The hacking cluster, which Google tracks as UNC2814 and refers to as "Gallium," has a nearly decade-long track record of intrusions into government entities and telecommunications providers, according to the company.
"This was a vast surveillance apparatus used to spy on people and organizations throughout the world," John Hultquist, chief analyst with Google Threat Intelligence Group, said.
Google described a coordinated takedown that included terminating Google Cloud projects under the attackers' control, identifying and disabling internet infrastructure the group relied upon, and disabling accounts the group used to access Google Sheets. The company said the attackers used Google Sheets to conduct targeting and to extract data because the platform helped them blend into routine network traffic. Google emphasized that this technique was not a compromise of any Google product.
Charlie Snyder, senior manager of Google Threat Intelligence Group, said the firm confirmed the group had gained access to 53 unnamed entities spread across the 42 countries. At the time Google disrupted the activity, Snyder added, the group had potential access in at least 22 additional countries. He declined to name the organizations that were compromised.
In one documented instance, the attackers installed a backdoor Google calls "GRIDTIDE" on a system that contained extensive personally identifying information, Snyder said. The system reportedly held full names, phone numbers, dates of birth, places of birth, voter ID entries and national ID numbers. Google characterized this pattern of targeting as consistent with operations intended to identify and follow specific individuals.
The company also noted that similar campaigns have been used for a broader set of surveillance actions. "Similar campaigns have been used to exfiltrate call data records, monitor SMS messages, and to even monitor targeted individuals through the telco's lawful intercept capabilities," the company said.
The Chinese Embassy responded through spokesperson Liu Pengyu, saying: "cyber security is a common challenge faced by all countries and should be addressed through dialogue and cooperation. China consistently opposes and combats hacking activities in accordance with the law, and at the same time firmly rejects attempts to use cyber security issues to smear or slander China."
Google also clarified that the activity it disrupted is separate from another high-profile, telecom-focused campaign tracked as "Salt Typhoon." That other campaign - which the U.S. government has linked to China - targeted hundreds of U.S. organizations as well as prominent U.S. political figures, Google said.
This announcement highlights the ways adversaries can repurpose widely used collaboration tools and cloud resources to evade detection. The incident underscores threats to telecommunications providers and government systems in particular, and reflects the operational trade-offs attackers make to hide malicious traffic within benign-looking services.