Can Google Sheets be used for espionage?

In a shocking revelation, Google's Threat Intelligence Group (GTIG) has exposed a China-linked espionage group that leveraged Google Sheets, a seemingly innocuous spreadsheet application, to compromise telecom providers and government agencies across 42 countries. The group, identified as UNC2814, has been tracked by GTIG since 2017 and has a history of targeting international governments and global telecommunications organizations.

According to GTIG, UNC2814 used Google Sheets as a command and control (C2) channel to send commands and receive stolen data from compromised organizations. This tactic allowed the group to fly under the radar, as Google Sheets is a legitimate application widely used by businesses and individuals. The group's use of Google Sheets as a C2 channel is a new twist in the cat-and-mouse game between hackers and cybersecurity experts.

GTIG worked with Mandiant, a cybersecurity firm, to confirm intrusions at 53 organizations across 42 countries, with suspected infections in at least 20 more. The affected organizations span across Africa, Asia, and the Americas, highlighting the global reach of UNC2814's operations. The group's targets include telecom providers, government agencies, and other organizations that handle sensitive information.

UNC2814's tactics are distinct from those of another China-linked group, Salt Typhoon, which drew scrutiny from Congress and federal regulators last year for its intrusions into US telecom carriers. While Salt Typhoon focused on the US, UNC2814 has a broader global reach, targeting a different set of victims.

The use of Google Sheets as a C2 channel is a clever tactic, as it allows UNC2814 to blend in with legitimate traffic. Google Sheets is a cloud-based application that enables real-time collaboration and data sharing. By using Google Sheets, UNC2814 can send commands and receive stolen data without arousing suspicion.

GTIG's discovery highlights the evolving nature of cyber threats and the need for organizations to stay vigilant. As hackers continue to innovate and exploit new vulnerabilities, cybersecurity experts must adapt and develop new strategies to counter these threats.

In response to the discovery, Google has taken steps to disrupt UNC2814's operations and prevent further intrusions. The company has also notified affected organizations and is working with them to remediate the compromise.

The incident raises questions about the security of cloud-based applications and the need for organizations to implement robust security measures to protect themselves against sophisticated threats. As the use of cloud-based applications becomes increasingly widespread, the risk of cyber attacks exploiting these platforms also grows.

In conclusion, the discovery of UNC2814's use of Google Sheets as a C2 channel highlights the complex and evolving nature of cyber threats. As hackers continue to innovate and exploit new vulnerabilities, organizations must remain vigilant and adapt to the changing threat landscape. By staying informed and implementing robust security measures, organizations can reduce the risk of falling victim to sophisticated cyber attacks.