Google Sheets Espionage: How Chinese Hackers Turned Your Spreadsheets Into Spy Tools

This is your Digital Dragon Watch: Weekly China Cyber Alert podcast. Hey listeners, Ting here with your Digital Dragon Watch weekly rundown, and let me tell you, this week has been absolutely wild in the China cyber sphere. So picture this: Google's Threat Intelligence Group and Mandiant just dropped a bombshell on Wednesday. They've been tracking a sophisticated Chinese government-linked hacker crew called UNC2814, also known as Gallium, and these folks have been running what John Hultquist, chief analyst at Google Threat Intelligence, literally called a vast surveillance apparatus used to spy on people and organizations throughout the world. We're talking 53 organizations across 42 countries compromised. This isn't some flash in the pan operation either—researchers have been tracking UNC2814 since 2017, and Google's analysis suggests nearly a decade of concentrated effort. Here's where it gets clever. Instead of using fancy zero-day exploits, these hackers weaponized Google Sheets. Yeah, you read that right. They created backdoor malware called GRIDTIDE that looked for commands in cell A1 and overwrote the data with status reports. It's like hiding a dead drop in plain sight at the coffee shop. The malware pulled host reconnaissance, user information, and network details, then stashed everything in cell V1 of attacker-controlled spreadsheets. According to Google's report, the hackers targeted personal identifiers including full names, phone numbers, birth dates, birthplaces, voter IDs, and national identification numbers. This data suggests classic espionage tradecraft—identifying and tracking specific individuals across telecommunications networks. The telecommunications sector got hammered particularly hard. Singapore confirmed that Chinese-linked threat actors compromised all four major telecom providers in a coordinated campaign. These aren't random attacks; they're precisely calibrated intelligence operations. Similar campaigns have exfiltrated call data records, monitored SMS messages, and even accessed lawful intercept capabilities that telcos normally reserve for law enforcement. But here's the kicker—Google and partners didn't just wring their hands. They went on offense. Google terminated all cloud projects controlled by the attackers, effectively severing persistent access to compromised environments. They sinkholed the threat actor's web domains, released indicators of compromise dating back to 2023, and updated malware detections across their security ecosystem. Meanwhile, Georgia Tech researchers are sounding alarms about something broader. They found that the threat intelligence supply chain itself is vulnerable, especially as geopolitical tensions fracture global data-sharing efforts. China's recent actions regarding foreign security software threaten what researchers describe as a foundational practice of internet cybersecurity. The bottom line from experts? Organizations need to enforce strict identity and access contro