China's Google Sheets Spy Game: How Hackers Turned Spreadsheets into Secret Weapons for a Decade episode artwork

EPISODE · Feb 25, 2026 · 3 MIN

China's Google Sheets Spy Game: How Hackers Turned Spreadsheets into Secret Weapons for a Decade

from Digital Frontline: Daily China Cyber Intel · host Inception Point AI

This is your Digital Frontline: Daily China Cyber Intel podcast. Hey listeners, Ting here on Digital Frontline, your go-to for China cyber intel. Buckle up, because the past 24 hours dropped a bombshell: Google Threat Intelligence Group and Mandiant just dismantled UNC2814, a sneaky China-linked crew that's been burrowing into telecoms and governments like digital moles for a decade. Picture this: these hackers, tracked since 2017, hit 53 orgs in 42 countries—Africa, Asia, Americas, you name it—using GRIDTIDE, a slick C-based backdoor that hijacks Google Sheets API for command-and-control. No exploits, just pure cunning: malware polls cell A1 for orders, dumps recon into V1, shuttles files via nearby cells, all masquerading as legit SaaS chatter. Google calls it "prolific and elusive," with suspected hits in 20 more nations, eyeing personally identifiable info for spying on dissidents and VIPs. Think call records, SMS intercepts—classic espionage to track persons of interest. And get this, Singapore confirmed all four major telcos got popped in a coordinated blitz, per Xage's February roundup. Targeted sectors? Telecoms and governments are ground zero, but it's rippling to critical infrastructure. Poland's wind farms and solar grids got owned last December via default creds—no MFA, exposed interfaces—and CISA's yelling at U.S. energy ops to lock it down. Meanwhile, OpenAI's fresh report exposes a Chinese law enforcement account feeding ChatGPT "cyber special operations" reports, plotting harassment against critics worldwide, even a propaganda hit on Japan's Sanae Takaichi. Hundreds of staff, thousands of fake accounts flooding platforms with bogus complaints, forging docs, impersonating U.S. officials. Another cluster from mainland China, using Simplified Chinese prompts, drafted phishing emails from fake Hong Kong firm Nimbus Hub Consulting, luring U.S. state officials and finance wonks to WhatsApp or Zoom for "consults"—and one even begged for FaceFusion deepfake install guides. Expert take? Google warns UNC2814's decade-long grind means they'll claw back fast; they already disrupted by nuking Cloud projects, sinkholing domains, and notifying victims. Mandiant spotted GRIDTIDE first, confirming no Salt Typhoon overlap—different TTPs, same espionage vibe. OpenAI notes threat actors mix ChatGPT with local AIs like DeepSeek for influence ops, not full hacks yet, but it's amplifying scams and recon. For you businesses and orgs: Patch edge servers yesterday—UNC2814 loves 'em. Enforce MFA everywhere, segment IT/OT, ditch defaults, monitor SaaS APIs for weird Sheets traffic. Scan for GRIDTIDE IOCs Google released, hunt PII exfil, and lock AI agent auth—think OpenClaw flaws or rogue Chrome extensions. Telecoms, audit lawful intercept; energy, harden remote sites. Stay vigilant, listeners—China's playbook is living-off-the-land stealth. Thanks for tuning in—subscribe for daily drops! This has been a Quiet Please production, for more check out quie This content was created in partnership and with the help of Artificial Intelligence AI.

This is your Digital Frontline: Daily China Cyber Intel podcast. Hey listeners, Ting here on Digital Frontline, your go-to for China cyber intel. Buckle up, because the past 24 hours dropped a bombshell: Google Threat Intelligence Group and Mandiant just dismantled UNC2814, a sneaky China-linked crew that's been burrowing into telecoms and governments like digital moles for a decade. Picture this: these hackers, tracked since 2017, hit 53 orgs in 42 countries—Africa, Asia, Americas, you name it—using GRIDTIDE, a slick C-based backdoor that hijacks Google Sheets API for command-and-control. No exploits, just pure cunning: malware polls cell A1 for orders, dumps recon into V1, shuttles files via nearby cells, all masquerading as legit SaaS chatter. Google calls it "prolific and elusive," with suspected hits in 20 more nations, eyeing personally identifiable info for spying on dissidents and VIPs. Think call records, SMS intercepts—classic espionage to track persons of interest. And get this, Singapore confirmed all four major telcos got popped in a coordinated blitz, per Xage's February roundup. Targeted sectors? Telecoms and governments are ground zero, but it's rippling to critical infrastructure. Poland's wind farms and solar grids got owned last December via default creds—no MFA, exposed interfaces—and CISA's yelling at U.S. energy ops to lock it down. Meanwhile, OpenAI's fresh report exposes a Chinese law enforcement account feeding ChatGPT "cyber special operations" reports, plotting harassment against critics worldwide, even a propaganda hit on Japan's Sanae Takaichi. Hundreds of staff, thousands of fake accounts flooding platforms with bogus complaints, forging docs, impersonating U.S. officials. Another cluster from mainland China, using Simplified Chinese prompts, drafted phishing emails from fake Hong Kong firm Nimbus Hub Consulting, luring U.S. state officials and finance wonks to WhatsApp or Zoom for "consults"—and one even begged for FaceFusion deepfake install guides. Expert take? Google warns UNC2814's decade-long grind means they'll claw back fast; they already disrupted by nuking Cloud projects, sinkholing domains, and notifying victims. Mandiant spotted GRIDTIDE first, confirming no Salt Typhoon overlap—different TTPs, same espionage vibe. OpenAI notes threat actors mix ChatGPT with local AIs like DeepSeek for influence ops, not full hacks yet, but it's amplifying scams and recon. For you businesses and orgs: Patch edge servers yesterday—UNC2814 loves 'em. Enforce MFA everywhere, segment IT/OT, ditch defaults, monitor SaaS APIs for weird Sheets traffic. Scan for GRIDTIDE IOCs Google released, hunt PII exfil, and lock AI agent auth—think OpenClaw flaws or rogue Chrome extensions. Telecoms, audit lawful intercept; energy, harden remote sites. Stay vigilant, listeners—China's playbook is living-off-the-land stealth. Thanks for tuning in—subscribe for daily drops! This has been a Quiet Please production, for more check out quie This content was created in partnership and with the help of Artificial Intelligence AI.

NOW PLAYING

China's Google Sheets Spy Game: How Hackers Turned Spreadsheets into Secret Weapons for a Decade

0:00 3:35

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Darknet Discussions Darknet Discussions Welcome to "Darknet Discussions," the podcast that gets into the shadows of the internet to bring you the most intriguing, enlightening, and sometimes unsettling stories from the dark web. Hosted by seasoned darknet aficionados, each episode of "Darknet Discussions" explores the intricate dynamics of darknet markets, cybersecurity threats, and the digital underworld. Join us as we interview experts, discuss the latest trends in cybercrime, and shed light on the technologies that operate beneath the surface of everyday internet use. Also, we occasionally go off on a tangent about something completely unrelated. The Digital Experience Show by Enonic Enonic All you need to know about digital strategy, digital experiences, and CMS are covered in this podcast. Powered by NotebookLM. Christadelphian Encouragements CE.captivate.fm Christadelphian Encouragements provides sermons, exhortations, bible studies, memorials, and daily readings from around the world. Please visit ChristadelphianEncouragements.Com and our content creators websites for more information and Christian audio content. CISO Perspectives (public) N2K Networks This season on CISO Perspectives, host Kim Jones explores some of the challenges of leading through uncertainty. We explore the complexity of the changing nature of regulation and working with the federal government, the evolution of privacy and fraud, and how emerging technologies like AI and quantum computing are changing cyber. When you don’t know what questions to ask, you’re afraid to ask, or don’t know who to ask, CISO Perspectives provides the foundation for learning in this brave new world.

Frequently Asked Questions

How long is this episode of Digital Frontline: Daily China Cyber Intel?

This episode is 3 minutes long.

When was this Digital Frontline: Daily China Cyber Intel episode published?

This episode was published on February 25, 2026.

What is this episode about?

This is your Digital Frontline: Daily China Cyber Intel podcast. Hey listeners, Ting here on Digital Frontline, your go-to for China cyber intel. Buckle up, because the past 24 hours dropped a bombshell: Google Threat Intelligence Group and...

Can I download this Digital Frontline: Daily China Cyber Intel episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!