Hidden in Plain Sight: How Hackers Used Google Sheets to Spy on 53 Organisations — and What Every Business Must Know About Edge Security
TL;DR
- China-linked hackers (tracked as UNC2814) ran a global espionage campaign for years using a backdoor called GRIDTIDE — which hid its commands inside Google Sheets to avoid detection [1].
- The group breached 53 organisations across 42 countries, targeting telecoms and government bodies by exploiting edge devices — the firewalls, web servers, and VPN gateways at the border of your network [2].
- Edge device exploitation grew 8× in a single year (Verizon 2025 DBIR), jumping from 3% to 22% of all breach methods — and every type of attacker, not just nation-states, is piling in [3].
- The business lesson: your firewall and VPN appliances are now the number-one attack surface. Auditing, patching, and segmenting them is one of the highest-ROI security decisions you can make in 2026.
What Actually Happened With GRIDTIDE?
On February 26, 2026, Google's Threat Intelligence Group (GTIG), working alongside Mandiant and industry partners, announced it had disrupted a sophisticated, years-long espionage campaign run by a suspected Chinese state-linked group designated UNC2814 [1].
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →The campaign had been active since at least 2023 and, at the time of disruption, had confirmed intrusions in 53 organisations across 42 countries — with suspected activity in at least 20 more nations [2]. Targets included international governments and telecommunications companies across Africa, Asia, and the Americas.
The technical trick at the centre of it? A C-based backdoor malware called GRIDTIDE, which used the Google Sheets API as its command-and-control (C2) channel [3]. Instead of connecting to an obvious malware server, GRIDTIDE would authenticate to a Google Service Account, read instructions from specific spreadsheet cells (cell A1 for commands, A2 onward for data), and write stolen output back — blending perfectly with legitimate cloud traffic.
"This was a vast surveillance apparatus used to spy on people and organisations throughout the world," said John Hultquist, chief analyst at Google, following the disclosure [4].
Google terminated all attacker-controlled cloud projects, disabled UNC2814's Google Sheets API access, sinkholed infrastructure, and issued direct victim notifications. It expects the group to rebuild new infrastructure and resume operations soon.
Related: How Your Vendors Can Become a Backdoor Into Your Business
Why This Matters to Every Business — Not Just Governments
Your business probably isn't a target of Chinese state espionage. But the techniques exposed by GRIDTIDE matter enormously to SMBs, because the exact same initial access method — exploiting unpatched edge devices — is used by ransomware gangs, opportunistic attackers, and every threat actor in between.
Google's investigation found that UNC2814's entry point was consistently the same: web servers and edge devices [1]. These are the systems sitting at the outer boundary of your network — your firewall appliance, VPN gateway, web-facing server, or router.
Here is the problem: edge devices typically have no endpoint detection software. Your laptops and servers might have EDR (Endpoint Detection and Response) tools watching for malicious behaviour. Your firewall? Probably not. It sits quietly at the border, processing traffic, and if someone plants malware on it, there is often nothing to raise the alarm.
According to the GreyNoise 2026 State of the Edge Report, which analysed 2.97 billion network sessions over 162 days, the scale of edge device targeting is staggering [5]:
- Palo Alto GlobalProtect received 16.7 million attack sessions — more than 3.5× Cisco and Fortinet combined.
- 52% of remote code execution attempts came from IP addresses with no prior threat history — attackers are cycling through fresh infrastructure faster than any static blocklist can track.
- Pre-2015 CVEs (vulnerabilities over a decade old) generated 7.3 million sessions — four times more than 2023–2024 CVEs combined. Attackers are still successfully exploiting Shellshock and other ancient bugs.
The Verizon 2025 Data Breach Investigations Report confirmed the trend: edge device exploitation grew 8× in a single year, jumping from 3% to 22% of all vulnerability-based breaches [6]. And Mandiant M-Trends 2025 found that the top four most frequently exploited vulnerabilities globally were all in edge devices — Palo Alto PAN-OS, Ivanti Connect Secure, Ivanti Policy Secure, and Fortinet FortiClient EMS [7].
This is not a niche concern for enterprise IT departments. It is the fastest-growing attack surface in business computing today.
Related: AI Let One Hacker Breach 600 Firewalls in 5 Weeks
The SaaS C2 Problem: Why Your Traffic Filters Won't Save You
GRIDTIDE's technique of hiding inside Google Sheets is not unique to this campaign. It represents a broader trend security professionals call living-off-the-cloud or SaaS-based C2 — where attackers route their malware traffic through legitimate platforms your business already trusts and allows outbound.
Think about what that means in practice. Your firewall might block connections to unknown servers in foreign countries. But it almost certainly allows outbound connections to Google's servers. Once an attacker plants GRIDTIDE on a device inside your network, its command traffic looks identical to any employee opening a Google Sheet.
This technique has been observed across multiple threat actor groups in recent years. It is effective precisely because it exploits the gap between your security controls and your business operations — your staff need Google, Slack, Microsoft 365, and Dropbox to work. Blocking those services to stop C2 traffic is not practical. The answer lies elsewhere.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →What Does 50,000+ CVEs in 2026 Mean for Your Patch Programme?
The Forum of Incident Response and Security Teams (FIRST) published its 2026 Vulnerability Forecast in February, predicting a median of 59,427 new CVEs this year, with realistic upper-bound scenarios reaching 100,000 [8]. This is the first year projected to exceed 50,000 published vulnerabilities.
For a small or medium business, that number is overwhelming. No team of any size can meaningfully assess and patch 59,000 vulnerabilities a year. The answer is not to try — it is to prioritise ruthlessly.
CISA's Known Exploited Vulnerabilities (KEV) catalogue does this for you. Updated regularly, it lists only the vulnerabilities that attackers are actively exploiting right now [9]. This week alone, CISA added four new entries including a Chrome zero-day (CVE-2026-2441, CVSS 8.8) and a decade-old Zimbra SSRF vulnerability still being targeted in the wild.
The GreyNoise data adds another counterintuitive insight: old vulnerabilities outperform new ones as attack vectors [5]. Your patch programme should address the CISA KEV list first, then high-CVSS vulnerabilities in edge-facing systems — not simply the newest disclosures.
Three Practical Steps to Strengthen Your Edge Security This Week
The GRIDTIDE campaign illustrates a clear defensive gap, and the good news is that closing it is achievable. Edge security does not require enterprise-scale budgets — it requires consistent application of a small number of high-leverage controls.
Step 1: Audit every internet-facing device. Map every system with an interface exposed to the internet — firewalls, VPN gateways, remote access tools, web servers, email gateways. If you do not know what is internet-facing, you cannot protect it. Most SMBs discover forgotten devices during this exercise.
Step 2: Patch edge devices on a 14-day cycle, not a quarterly one. Edge device vulnerabilities are exploited within hours of public disclosure [7]. A quarterly patch cycle leaves a window that sophisticated attackers — and automated scanning tools — will find and use. Prioritise CISA's KEV list for immediate action and build a 14-day target for critical/high-CVSS edge vulnerabilities.
Step 3: Segment your network so edge devices are not a golden ticket. If an attacker does compromise your edge device, network segmentation limits what they can reach from there. Separate your internet-facing systems from your core business data. The damage from GRIDTIDE was contained largely because networks vary in their architecture — attackers who gained an edge device did not automatically gain access to everything inside.
What About Outbound Traffic Monitoring?
The GRIDTIDE case shows why monitoring only inbound traffic misses half the picture. The malware's C2 was entirely outbound — to Google's servers. Effective detection requires monitoring outbound connections for anomalies: unusual volumes, unexpected protocols, connections at odd hours, or patterns inconsistent with your normal business activity.
This does not mean blocking Google. It means understanding your baseline — what does "normal" outbound traffic look like for your business? — so deviations become visible. Modern SIEM tools and managed detection services provide this visibility without requiring your team to manually review millions of events.
FAQ
Nation-state groups like UNC2814 primarily target governments and telecommunications firms. However, the techniques they use — edge device exploitation, credential theft, LotL (living-off-the-land) attacks — are identical to what ransomware gangs use against every size of business. The methods are not exclusive to espionage. Protecting against them protects you from the vast majority of financially motivated attackers too.
No. Google Sheets is not compromised. GRIDTIDE abused Google's legitimate API — there was no flaw in Google's product. The lesson is about the principle of "abuse of trusted services," not about avoiding Google Workspace. Google acted decisively to terminate the attacker infrastructure once discovered.
Log into each device's management interface and compare the current firmware version to the vendor's latest release page. Most vendors (Palo Alto, Fortinet, Cisco, SonicWall, etc.) publish security advisories tied to firmware versions. Alternatively, a vulnerability scan run against your internet-facing IPs will identify unpatched systems. This is something lil.business includes in every security assessment.
The CISA Known Exploited Vulnerabilities catalogue is a regularly updated list of vulnerabilities that CISA has confirmed are being actively exploited by real attackers in the wild. It is publicly available at cisa.gov/known-exploited-vulnerabilities-catalog and is the single most practical prioritisation tool available to any business's patch management programme. Check it weekly.
Auditing and patching your existing edge devices costs primarily staff time — or consulting time if you do not have an in-house team. Adding network segmentation has one-time infrastructure costs that vary by complexity. Ongoing monitoring can be handled through managed detection services at a fraction of the cost of an in-house SOC. A baseline edge security engagement with lil.business starts with a discovery session to scope your actual exposure.
References
[1] Google Threat Intelligence Group and Mandiant, "Disrupting the GRIDTIDE Global Cyber Espionage Campaign," Google Cloud Blog, Feb. 26, 2026. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign
[2] The Hacker News, "Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries," The Hacker News, Feb. 26, 2026. [Online]. Available: https://thehackernews.com/2026/02/google-disrupts-unc2814-gridtide.html
[3] BleepingComputer, "Chinese Cyberspies Breached Dozens of Telecom Firms, Govt Agencies," BleepingComputer, Feb. 26, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breached-dozens-of-telecom-firms-govt-agencies/
[4] Australian Financial Review, "Google Disrupts 'Vast' Global Chinese-Linked Hacker Network," AFR, Feb. 26, 2026. [Online]. Available: https://www.afr.com/world/north-america/google-disrupts-vast-global-chinese-linked-hacker-network-20260226-p5o5ja
[5] GreyNoise Intelligence, "2026 GreyNoise State of the Edge Report: Where Attacks Concentrate, Defenses Fall Short," GreyNoise Blog, 2026. [Online]. Available: https://www.greynoise.io/blog/2026-greynoise-state-of-the-edge-report-where-attacks-concentrate-defenses-fall-short
[6] Verizon Business, "2025 Data Breach Investigations Report," Verizon, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
[7] Mandiant, "M-Trends 2025: Special Report," Mandiant / Google Cloud, 2025. [Online]. Available: https://cloud.google.com/security/resources/m-trends
[8] E. Leverett et al., "2026 Vulnerability Forecast," Forum of Incident Response and Security Teams (FIRST), Feb. 11, 2026. [Online]. Available: https://www.first.org/blog/20260211-vulnerability-forecast-2026
[9] CISA, "CISA Adds Four Known Exploited Vulnerabilities to Catalog," CISA Alerts, Feb. 2026. [Online]. Available: https://www.cisa.gov/news-events/alerts/2026/02/17/cisa-adds-four-known-exploited-vulnerabilities-catalog
[10] SecurityWeek, "Google Disrupts Chinese Cyberespionage Campaign Targeting Telecoms, Governments," SecurityWeek, Feb. 26, 2026. [Online]. Available: https://www.securityweek.com/google-disrupts-chinese-cyberespionage-campaign-targeting-telecoms-governments/
Is your business's network edge audited and hardened? lilMONSTER offers edge security assessments built specifically for SMBs — practical, jargon-free, and focused on the fixes that actually move the needle. Book a free discovery session →
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →Hackers Hid Secret Messages Inside Google Sheets — Here's What That Means for Your Business (Explained Simply)
TL;DR
- Hackers from China secretly broke into 53 organisations in 42 countries by hiding their control messages inside Google Sheets — tools their victims already trusted and used every day [1].
- They got in through the "door" at the edge of networks — the firewalls and gateways that protect business systems — rather than attacking laptops or email [2].
- These "edge" attacks grew 8× last year and are now the #1 way attackers get into businesses of all sizes [3].
- Three things every business can do right now: audit what's internet-facing, patch those devices faster, and separate them from your core data.
Imagine Your Office Has a Security Guard at the Front Door
That security guard — your firewall or VPN — checks who is allowed in. Only approved visitors get through.
Now imagine a group of spies figured out a clever trick: instead of trying to sneak through the front door, they bribed the security guard to work for them secretly. And instead of using a radio to send instructions (which would be obvious), the guard reads their instructions from a Google spreadsheet — something completely normal that nobody would question.
That is essentially what happened with a hacking group called UNC2814. They broke into organisations' networks by compromising the "security guard" device at the edge of the network. Then they controlled it by leaving secret instructions in Google Sheets cells.
Google discovered this, shut down the attacker's cloud projects, and cut off their access. But the technique itself — hiding in trusted tools your business already uses — is something every business owner needs to understand [1].
Why Your Firewall Is the New Target
For years, attackers focused on tricking employees — phishing emails, fake links, password theft. That still happens. But there is a new favourite: attacking the devices at the edge of your network directly.
Think of your network like a building. Your employees work inside. Your firewall or VPN gateway is the reception desk and front entrance. Your internal computers are the offices.
For a long time, attackers snuck past reception by tricking an employee (getting a fake visitor badge, so to speak). Now they are finding another way: breaking reception itself — compromising the device that is supposed to be checking credentials.
Why? Because reception desks (firewalls and VPN appliances) usually have no security cameras watching them. Your laptops have antivirus. Your servers have monitoring tools. But that Fortinet or SonicWall box? It often has none of those checks. If someone plants malware on it, there is frequently nothing to raise an alarm [3].
Last year, edge device attacks grew 8× — from 3% of all breaches to 22% in a single year [3]. And the four most commonly exploited vulnerabilities in the world last year were all in edge devices — VPNs and firewalls by Palo Alto, Ivanti, and Fortinet [4].
The Hidden-in-Plain-Sight Problem
One of the sneakiest parts of the GRIDTIDE attack was where the instructions were hidden: Google Sheets.
Your firewall probably blocks connections to random servers in Russia or China. But it almost certainly allows connections to Google — because your team uses Google Workspace every day.
So the malware would quietly check a Google spreadsheet, read its instructions from a cell, do what it was told, and write the results back. From the outside, this looks identical to an employee refreshing a spreadsheet. Normal, harmless, invisible [2].
This is called "living off the cloud" — attackers using tools you already trust to hide their activity. It works not because there is anything wrong with Google Sheets, but because security systems are designed to trust it.
The lesson: you cannot rely solely on blocking "bad" connections. You also need to understand what "normal" looks like in your network, so anything unusual — even using a trusted tool in an unusual pattern — gets noticed.
What This Means for Your Business in 3 Simple Actions
You do not need an enterprise IT budget to close these gaps. Here is what actually moves the needle:
1. Write down every internet-facing device you have. Your firewall. Your VPN. Your router. Your web server. Anything with one foot on the internet and one foot in your network. If you do not have a list, make one this week. You cannot protect what you do not know exists.
2. Patch those devices more often than your other systems. Think of it like this: your front door lock should be replaced as soon as there is a known flaw in its design — not at the next quarterly maintenance. Edge device vulnerabilities are exploited within hours of becoming public [4]. Aim to patch critical edge devices within 14 days of a security update being released.
3. Keep your front entrance separate from your filing cabinets. If your firewall or VPN gateway gets compromised, you do not want attackers to then immediately have access to your customer records, financial data, or business files. Network segmentation — keeping internet-facing systems separated from your core business network — limits what an attacker can reach if they do get through reception.
What You Should Do Today
- Check what firmware your firewall is running. Log in to its management page. Is the firmware version up to date? Your vendor's website will show the latest version and whether your current version has known security issues.
- Check CISA's Known Exploited Vulnerabilities list. It is free, public, and tells you what vulnerabilities attackers are actually using right now. cisa.gov/known-exploited-vulnerabilities-catalog
- Ask your IT team or provider when your edge devices were last reviewed. If the answer is "I'm not sure" or "over a year ago," that is worth addressing.
The good news: businesses that get ahead of edge security now are building a genuinely stronger foundation — one that protects not just against espionage campaigns, but against the opportunistic ransomware attacks that are far more likely to affect an SMB.
FAQ
Most attacks are not targeted. Automated scanning tools sweep the entire internet looking for any unpatched device — it does not matter whether you are a small business or a large one. If your firewall has an unpatched flaw, a scanner will find it and try to exploit it automatically, usually within hours of the flaw being made public.
No. Google Sheets itself is fine. The attackers did not hack Google — they used its API in an unexpected way to hide their commands. Google found and shut down the attacker accounts. Using Google Workspace for normal business tasks is still completely fine.
Yes, completely free and publicly available at cisa.gov. CISA (America's Cybersecurity and Infrastructure Security Agency) maintains a list of vulnerabilities that are confirmed to be actively exploited in the wild. It is updated regularly and is the most practical starting point for prioritising what to patch first.
Signs include: unexplained increases in outbound network traffic, unusually slow devices, new administrator accounts you do not recognise, or logs showing connections to unfamiliar external addresses. A proper security assessment will actively look for these indicators. Many SMBs do not know they have been compromised for weeks or months — early detection is the most cost-effective defence.
lil.business offers edge security assessments designed specifically for SMBs — no enterprise jargon, no unnecessary complexity. We identify what is internet-facing, check for known vulnerabilities, and give you a clear action plan prioritised by actual risk. It starts with a free discovery session.
References
[1] Google Threat Intelligence Group and Mandiant, "Disrupting the GRIDTIDE Global Cyber Espionage Campaign," Google Cloud Blog, Feb. 26, 2026. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign
[2] BleepingComputer, "Chinese Cyberspies Breached Dozens of Telecom Firms, Govt Agencies," BleepingComputer, Feb. 26, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breached-dozens-of-telecom-firms-govt-agencies/
[3] Verizon Business, "2025 Data Breach Investigations Report," Verizon, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
[4] Mandiant, "M-Trends 2025: Special Report," Mandiant / Google Cloud, 2025. [Online]. Available: https://cloud.google.com/security/resources/m-trends
[5] GreyNoise Intelligence, "2026 GreyNoise State of the Edge Report," GreyNoise Blog, 2026. [Online]. Available: https://www.greynoise.io/blog/2026-greynoise-state-of-the-edge-report-where-attacks-concentrate-defenses-fall-short
[6] CISA, "CISA Adds Four Known Exploited Vulnerabilities to Catalog," CISA Alerts, Feb. 2026. [Online]. Available: https://www.cisa.gov/news-events/alerts/2026/02/17/cisa-adds-four-known-exploited-vulnerabilities-catalog
[7] The Hacker News, "Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries," The Hacker News, Feb. 26, 2026. [Online]. Available: https://thehackernews.com/2026/02/google-disrupts-unc2814-gridtide.html
[8] E. Leverett et al., "2026 Vulnerability Forecast," Forum of Incident Response and Security Teams (FIRST), Feb. 11, 2026. [Online]. Available: https://www.first.org/blog/20260211-vulnerability-forecast-2026
Want to know if your business's front door is properly locked? lil.business runs edge security assessments built for small and medium businesses — practical, jargon-free, and focused on changes that actually protect you. Getting a second set of eyes on your setup could save you months of headache. Start with a free chat →
