One of the most extensive cyber espionage operations ever discovered was carried out by a suspected Chinese state-affiliated hacking group, which silently compromised government agencies and telecom companies on four continents for almost ten years This article explores mandiant google threat. . Google has now intervened to completely dismantle that operation, cutting off the group's ongoing access and disclosing threat intelligence to assist impacted organizations in identifying and responding.
Mandiant and Google Threat Intelligence Group (GTIG) worked together to stop a worldwide espionage campaign associated with a threat actor known as UNC2814, which was thought to be connected to the People's Republic of China (PRC). Since 2017, GTIG has kept an eye on this group.
As of February 18, 2026, the investigation had confirmed 53 cases in 42 countries, and at least 20 additional countries in Africa, Asia, and the Americas had suspected infections. Organizations should keep an eye on outgoing HTTPS connections to Google Sheets API endpoints, particularly requests involving batchClear, batchUpdate, and valueRenderOption=FORMULA, from non-browser processes, according to the GRIDTIDE execution lifecycle (Source: Google Cloud). Security teams should also look for SoftEther VPN components on Linux servers, binaries operating from /var/tmp/, and systemd services in unexpected directories.
It will be possible to determine whether there is any residual exposure from this campaign by using GTIG's published YARA rule for GRIDTIDE and comparing the released IOC list with internal logs. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.
