Even something as ordinary as a spreadsheet can become part of a global cyber campaign. Google says it has disrupted a wide-ranging espionage operation that used Google Sheets as a backdoor communication channel.
According to Google’s Threat Intelligence Group, working alongside its cybersecurity arm Mandiant, the activity is linked to a China-affiliated threat group known as UNC2814. The campaign reportedly leveraged the Google Sheets API to create a covert channel for collecting system information from compromised targets.
Rather than infecting victims in the traditional sense, the operation functioned as a stealthy data-gathering mechanism. The attackers used the spreadsheet infrastructure to retrieve usernames, hostnames, IP addresses, and other identifying information from targeted systems. Because the communication blended in with legitimate web traffic to Google services, it made detection more difficult.
Google says the system—internally referred to as “GRIDTIDE”—has been active since 2023. Verified intrusions have been identified across 42 countries, affecting 53 confirmed targets, with additional nations suspected. The campaign reportedly focused heavily on telecommunications providers and government agencies.
The company states that it has now shut down the accounts and infrastructure used to operate the system. Affected organizations have been formally notified, and Google says the backdoor is currently inoperable based on its latest assessments.
The incident highlights how widely used cloud platforms can be repurposed as covert communication tools in advanced cyber operations. Even routine business applications like spreadsheets can serve as infrastructure for espionage when combined with API access and long-term operational planning.