Google Sheets is perhaps my most disliked member of the Google Workplace suite. It's not that it's bad at what it does, more that it's a deathly-dull spreadsheet editor that I loathe having to stare at for more than five minutes.
But lo and indeed behold, because Google says it's caught Sheets being used in a super-exciting act of global espionage! Okay, exciting was the wrong word. Concerning, that's what I was going for.
The mechanism by which our alleged spies operated is referred to by Google as Gridtide, and is described as a "sophisticated C-based backdoor with the ability to execute arbitrary shell commands", as well as uploading and downloading files.
Gridtide is said to have been leveraging Google Sheets as "a high-availability C2 platform, treating [a] spreadsheet not as a document, but as a communication channel to facilitate the transfer of raw data and shell commands."
If anyone else is thinking of poor Google Sheets being marched at gunpoint past security and into a bank vault, you're in good company.
Anyway, the over-simplified version goes as thus: A UNC2814 co-opted Google Sheet file is used to connect to a Google Service Account for API authentication, before wiping itself and allowing its attackers backdoor access via a 16-byte cryptographic key "present in a separate file on the host at the time of execution."
"Once the Sheet is prepared, the backdoor conducts host-based reconnaissance. It fingerprints the endpoint by collecting the victim’s username, endpoint name, OS details, local IP address, and environmental data such as the current working directory, language settings, and local time zone." says Google.
"This information is then exfiltrated and stored in cell V1 of the attacker-controlled spreadsheet."
The access can then be used to transmit shell commands and mask the transfer of data to "identify, track, and monitor persons of interest."
At least, that's what Google believes it was doing: "We expect UNC2814 used this access to exfiltrate a variety of data on persons and their communications. Similar campaigns have been used to exfiltrate call data records, monitor SMS messages, and to even monitor targeted individuals through the telco’s lawful intercept capabilities."
"GTIG did not directly observe UNC2814 exfiltrate sensitive data during this campaign. However, historical PRC-nexus espionage intrusions against telecoms have resulted in the theft of call data records, unencrypted SMS messages, and the compromise and abuse of lawful intercept systems", says Google. Okey-dokey then.
Anyway, beyond what UNC2814 did or did not get away with, according to Google it's been thoroughly disrupted—and presumably sent to bed with no dinner. Google Sheets has now entered the witness protection program, and is believed to be on the mend. Oh okay, I'll finish off with something serious, if I must. Per the conclusion of the Google blog:
"The global scope of UNC2814’s activity, evidenced by confirmed or suspected operations in over 70 countries, underscores the serious threat facing telecommunications and government sectors, and the capacity for these intrusions to evade detection by defenders.
"Prolific intrusions of this scale are generally the result of years of focused effort and will not be easily re-established. We expect that UNC2814 will work hard to re-establish their global footprint." Dun-dun-duuuuuuun!
1. Best gaming laptop: Razer Blade 16
2. Best gaming PC: HP Omen 35L
3. Best handheld gaming PC: Lenovo Legion Go S SteamOS ed.
4. Best mini PC: Minisforum AtomMan G7 PT
5. Best VR headset: Meta Quest 3
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
