A China-linked crew found a unique formula for attacking telcos and government orgs across the Americas, Asia, and Africa in its latest round of intrusions. Google’s threat intelligence, along with unnamed industry partners, disrupted the gang, which used the Chocolate Factory’s own spreadsheet tools as part of its exploits.
The Chocolate Factory announced the Google Threat Intelligence Group-led actions on Wednesday and said that, in partnership with other teams, it terminated all Google Cloud Projects that had been controlled by UNC2814, a group that GTIG has tracked since 2017. They also disabled all known UNC2814 infrastructure and accounts, and revoked access to the Google Sheets API calls used by the Chinese snoops for command-and-control (C2) purposes.
“As of Feb. 18, GTIG’s investigation confirmed that UNC2814 has impacted 53 victims in 42 countries across four continents, and identified suspected infections in at least 20 more countries,” the threat hunters said in the report.
They also noted that UNC2814 has no observed overlap with Salt Typhoon, another Beijing-backed group that hacked America’s major telecommunications firms and stole information belonging to nearly every American beginning as far back as 2019.
The Googlers don’t know how UNC2814 gained initial access to victims’ environments for this particular campaign, but said the suspected Chinese government goon squad historically breaks in by exploiting and compromising web servers and edge systems.
“We don’t have visibility into the specific targeting, but previous PRC-nexus espionage intrusions against telecoms have targeted individuals and organizations for surveillance efforts, particularly dissidents and activists, as well as traditional espionage targets,” GTIG tech lead Dan Perez told The Register. “The kind of access UNC2814 achieved during this campaign would likely enable this kind of operation.”
Perez declined to name the specific industry partners that GTIG worked with to take down the threat group’s infrastructure.
The security sleuths uncovered this campaign during a Mandiant investigation into suspicious activity in a customer’s environment. Specifically, this binary, “/var/tmp/xapt,” initiated a shell with root privileges, and then executed a command to retrieve the system’s user and group identifiers to confirm it had successfully escalated to root.
Google suspects the payload was named xapt, after the command-line tool in Debian and Ubuntu systems, to make it easier to hide in the victim’s environment and look like a legitimate tool.
The intruders also used a novel backdoor, Gridtide, that abuses legitimate Google Sheets API functionality to disguise its command-and-control (C2) traffic. Mandiant has linked Gridtide to UNC2814.
After breaking in, the spies moved laterally via SSH, performed reconnaissance, escalated privileges, and then deployed the Gridtide backdoor using a command, “nohup ./xapt,” that allows it to run even after the user closes the session.
“Subsequently, SoftEther VPN Bridge was deployed to establish an outbound encrypted connection to an external IP address,” the threat intel team wrote. “VPN configuration metadata suggests UNC2814 has been leveraging this specific infrastructure since July 2018.”
The C-based backdoor uses Google Sheets as its C2 platform, can execute shell commands, and can upload and download files. In this case, the attacker deployed Gridtide on an endpoint containing personal information – likely to identify and track persons of interest – including full name, phone number, date and place of birth, voter ID and national ID numbers.
While Google’s responders didn’t observe any actual data theft, previous Chinese government espionage campaigns have involved stealing call data records and unencrypted SMS messages, and abusing telecoms’ legal wiretapping systems.
GTIG says it has notified all victims of this campaign, and is “actively supporting” those who have been compromised. ®