Google Sheets is perhaps my most disliked member of the Google Workplace suite. It's not that it's bad at what it does, more that it's a deathly-dull spreadsheet editor that I loathe having to stare at for more than five minutes.

But lo and indeed behold, because Google says it's caught Sheets being used in a super-exciting act of global espionage! Okay, exciting was the wrong word. Concerning, that's what I was going for.

According to Google's most recent Threat Intelligence blog post, last week the Google Threat Intelligence Group (GTIG), alongside its partners, "took action to disrupt a global espionage campaign targeting telecommunications and government organisations in dozens of nations across four continents."

The threat actor, mysteriously named "UNC2814" and said by Google to be suspected of connection to the People's Republic of China, was said to be using API calls to communicate with SaaS apps and "disguise their malicious traffic as benign."

And would you believe it, the primary SaaS app in question was none other than our old friend, Google Sheets. At this point, I'd like you to imagine me ripping a Scooby Doo-style mask off a spreadsheet.

The accused. (Image credit: Google)

The mechanism by which our alleged spies operated is referred to by Google as Gridtide, and is described as a "sophisticated C-based backdoor with the ability to execute arbitrary shell commands", as well as uploading and downloading files.

Gridtide is said to have been leveraging Google Sheets as "a high-availability C2 platform, treating [a] spreadsheet not as a document, but as a communication channel to facilitate the transfer of raw data and shell commands."

If anyone else is thinking of poor Google Sheets being marched at gunpoint past security and into a bank vault, you're in good company.

Anyway, the over-simplified version goes as thus: A UNC2814 co-opted Google Sheet file is used to connect to a Google Service Account for API authentication, before wiping itself and allowing its attackers backdoor access via a 16-byte cryptographic key "present in a separate file on the host at the time of execution."

"Once the Sheet is prepared, the backdoor conducts host-based reconnaissance. It fingerprints the endpoint by collecting the victim’s username, endpoint name, OS details, local IP address, and environmental data such as the current working directory, language settings, and local time zone." says Google.

"This information is then exfiltrated and stored in cell V1 of the attacker-controlled spreadsheet."

(Image credit: Google)

The access can then be used to transmit shell commands and mask the transfer of data to "identify, track, and monitor persons of interest."

At least, that's what Google believes it was doing: "We expect UNC2814 used this access to exfiltrate a variety of data on persons and their communications. Similar campaigns have been used to exfiltrate call data records, monitor SMS messages, and to even monitor targeted individuals through the telco’s lawful intercept capabilities."

"GTIG did not directly observe UNC2814 exfiltrate sensitive data during this campaign. However, historical PRC-nexus espionage intrusions against telecoms have resulted in the theft of call data records, unencrypted SMS messages, and the compromise and abuse of lawful intercept systems", says Google. Okey-dokey then.

(Image credit: Facepunch Studios)

Anyway, beyond what UNC2814 did or did not get away with, according to Google it's been thoroughly disrupted—and presumably sent to bed with no dinner. Google Sheets has now entered the witness protection program, and is believed to be on the mend. Oh okay, I'll finish off with something serious, if I must. Per the conclusion of the Google blog:

"The global scope of UNC2814’s activity, evidenced by confirmed or suspected operations in over 70 countries, underscores the serious threat facing telecommunications and government sectors, and the capacity for these intrusions to evade detection by defenders.

"Prolific intrusions of this scale are generally the result of years of focused effort and will not be easily re-established. We expect that UNC2814 will work hard to re-establish their global footprint." Dun-dun-duuuuuuun!