Google has publicly disclosed that a China-backed hacking group exploited its cloud services to launch cyberattacks against organizations worldwide, marking a rare instance of a major technology firm openly attributing such activity. The group, known as Gallium and also tracked as UNC2814, allegedly infiltrated hundreds of organizations across 42 countries, including at least 40 in the United States.
In an official statement, Google said it disrupted the group’s operations before they could expand attacks into 22 additional countries. The company achieved this by blocking malicious projects hosted on Google Cloud and dismantling key elements of the attackers’ digital infrastructure. This proactive response, Google noted, prevented further compromise of targeted networks.
According to John Hultquist, Chief Analyst at Google’s Threat Intelligence Group, the hackers primarily targeted telecommunications companies and government agencies. Their campaign relied on a malware tool known as “Gridtide,” a backdoor program concealed within seemingly legitimate Google Sheets activity. By embedding malicious code into cloud-based workflows, the attackers were able to evade detection while extracting sensitive information.
The stolen data reportedly included names, contact details, dates and places of birth, voter identification numbers, and Social Security numbers. Such information could be used for identity theft, surveillance, or broader intelligence-gathering operations. Google’s analysis suggests that the group’s focus on telecom providers may have enabled more advanced monitoring activities, potentially including tracking phone calls, SMS messages, and in some cases, email communications.
Cybersecurity experts note that targeting telecommunications infrastructure offers strategic advantages for state-sponsored actors, as it provides insight into both government and private communications. By leveraging trusted cloud platforms to mask their operations, the attackers demonstrated a high level of technical sophistication.
Researchers also observed operational overlaps between Gallium and another China-linked threat actor known as Salt Typhoon, which has been associated with intelligence-gathering activities allegedly supported by the People’s Republic of China. While definitive attribution in cyberspace remains complex, the similarities in tactics and targeting patterns have drawn increased scrutiny from security analysts.
Google’s disclosure underscores the growing challenge faced by global technology companies in combating state-sponsored cyber threats. It also highlights the importance of continuous monitoring, rapid threat detection, and international cooperation to protect critical infrastructure from increasingly sophisticated digital espionage campaigns.
Join our LinkedIn group Information Security Community!
