China Spent a Decade Hiding Its Spy Network Inside Google Sheets—53 Countries' Telecoms Were the Target

Nine Years in the Shadows

For nine years, a team of Chinese state hackers maintained silent access to telecom companies and government systems across four continents. Their secret: they weren't using dark web servers or exotic malware infrastructure. They were hiding their commands inside Google Sheets.

On February 25, 2026, Google disrupted the operation after its threat intelligence team confirmed 53 organizations breached across 42 countries—with suspected activity in over 70 nations. The hacking group, tracked as UNC2814, had been operating since at least 2017, and the scale of what they accessed should alarm anyone who relies on telecom infrastructure for private communications.

How They Turned Google Sheets Into a Spy Tool

The GRIDTIDE backdoor—the malware at the center of this campaign—worked by embedding its commands inside ordinary spreadsheet cells. A specific cell would receive commands from the attackers and send back status responses. Other cells would handle data transfers. To any network monitoring tool watching for suspicious traffic, it looked like a spreadsheet application communicating with Google's servers.

That is the point. By routing commands through legitimate cloud services, UNC2814 made their surveillance infrastructure invisible to most security tools. Google's threat researchers noted that "the actor could easily make use of other cloud based spreadsheet platforms in the same manner"—meaning the same technique works with Microsoft Excel online, Notion, or any other cloud document service.

Beyond the Google Sheets trick, the attackers used several other techniques to stay hidden. They relied on software already installed on target systems rather than dropping suspicious new tools—a technique called living off the land. They used SoftEther VPN bridges to encrypt their outbound connections. They installed persistent access through system services that survive reboots.

Who They Were Watching—and Why Telecoms

Google's researchers were direct about UNC2814's purpose: "The targeting of PII in this engagement is consistent with cyber espionage activity in telecommunications, which is primarily leveraged to identify, track, and monitor persons of interest."

The data the attackers accessed tells the story. On infected systems, GRIDTIDE was found sitting next to files containing names, phone numbers, national identification numbers, and dates and places of birth. In telecommunications networks, this kind of data doesn't just identify people—it maps their communications. Who called whom. When. From where.

For governments that operate authoritarian surveillance systems, access to a telecom's core infrastructure is a surveillance superpower. Calls can be intercepted. Messages can be read. Physical locations can be tracked in real time. UNC2814's targets were concentrated across Africa, Asia, and the Americas—regions where journalists, dissidents, and activists face some of the highest risks from state surveillance.

The Scale of What Was Compromised

Google confirmed breaches at 53 organizations in 42 countries, but that figure understates the likely impact. Investigators also identified suspected targeting in at least 20 additional nations, putting the potential scope at over 70 countries. For a single hacking group to maintain persistent access across this many organizations simultaneously requires considerable resources and coordination—the kind of operation only a state intelligence apparatus can sustain.

The campaign's longevity is the most striking detail. UNC2814 began operations in 2017. That means a decade of potential access to telecom infrastructure before discovery. Calls logged. Subscriber databases queried. Communications patterns analyzed. Google stated it did not directly observe data exfiltration during the disruption window—but given nine years of access and a backdoor specifically designed to upload files, that caveat offers limited reassurance.

What Google Did—and What It Cannot Fix

Google's response was direct: they terminated all cloud projects controlled by the attackers, disabled UNC2814's known infrastructure, and revoked the API access that made GRIDTIDE functional. The specific operation is over.

But the technique itself cannot be patched. Hiding malware commands inside legitimate cloud services—Google Sheets, OneDrive, Dropbox, GitHub—is a growing trend among sophisticated threat actors. Legitimate services are trusted by firewalls. Their traffic is encrypted by default. They rarely get blocked.

What UNC2814 demonstrated across nearly a decade is how effective this approach can be at institutional scale. Any organization that handles sensitive personal data and relies on standard network monitoring is likely blind to this class of attack.

What This Means for People in Targeted Countries

If your telecom company was among the 53 confirmed victims—or in one of the additional suspected nations—your communications metadata may have been accessible to Chinese state intelligence for years. Metadata alone—who you called, when, how often—is enough to map an entire social network, identify sources, and expose professional relationships.

For journalists, activists, lawyers, and anyone else operating in countries where this campaign was active, the practical implication is sobering: the infrastructure you relied on for private communication was potentially compromised at its core. End to end encrypted messaging apps like Signal protect the content of messages, but metadata—who you're talking to—flows through telecom infrastructure regardless.

Google's disruption ended one operation. UNC2814 has been active since 2017 and will adapt. The broader lesson from GRIDTIDE isn't that Google Sheets is dangerous—it's that state sponsored surveillance operations are increasingly designed to be invisible inside the services everyone uses every day.