Feb. 25 (GeokHub) — Google said Wednesday it has disrupted a Chinese-linked hacking operation that breached at least 53 organizations across 42 countries, describing the campaign as a global surveillance effort spanning nearly a decade.
The threat group, tracked by Google as UNC2814 and “Gallium,” has historically targeted government bodies and telecommunications providers, according to findings shared exclusively with Reuters by the company’s Google Threat Intelligence Group.
“This was a vast surveillance apparatus used to spy on people and organizations throughout the world,” said John Hultquist, chief analyst at the unit.
Infrastructure Disabled, Cloud Projects Terminated
Google said it worked with unnamed partners to terminate Google Cloud projects allegedly controlled by the hacking group. The company also disabled internet infrastructure and online accounts used to facilitate targeting and data theft.
Investigators found the group leveraged Google Sheets as part of its operations, a tactic designed to blend malicious traffic into legitimate network activity. Google emphasized that this did not represent a compromise of any Google product, but rather the misuse of publicly available tools to evade detection.
Charley Snyder, senior manager at the Threat Intelligence Group, said the hackers had confirmed access to 53 entities across 42 countries, with potential footholds in at least 22 additional nations at the time of disruption.
While the company declined to identify specific victims, Snyder disclosed that in one case the group deployed a backdoor known internally as “GRIDTIDE” on a system containing highly sensitive personal data, including full names, phone numbers, dates and places of birth, voter identification numbers and national ID numbers.
Surveillance and Data Monitoring Allegations
Google said the targeting pattern aligns with efforts to track selected individuals and monitor communications. Similar campaigns, it noted, have historically been used to exfiltrate call data records, intercept SMS messages and monitor individuals through telecommunications systems’ lawful intercept capabilities.
The Chinese Embassy responded to the allegations. Spokesperson Liu Pengyu said cybersecurity is a global challenge that should be addressed through dialogue and cooperation.
“China consistently opposes and combats hacking activities in accordance with the law, and at the same time firmly rejects attempts to use cyber security issues to smear or slander China,” Liu said in a statement.
Separate from “Salt Typhoon” Campaign
Google clarified that the activity attributed to UNC2814 and Gallium is distinct from another high-profile Chinese-linked campaign known as “Salt Typhoon.” That separate operation, previously linked by the U.S. government to China, targeted hundreds of U.S. organizations and prominent political figures.
Cybersecurity experts say the disruption underscores the increasingly complex digital threat landscape, where state-linked actors allegedly leverage cloud infrastructure and widely used platforms to conduct covert intelligence gathering.
As geopolitical tensions remain elevated, the battle between global technology firms and sophisticated cyber actors continues to intensify.
