UNC2814UNC2814

UNC2814 is a suspected PRC-nexus cyber espionage group that has targeted telecommunications providers and government entities globally since at least 2017. The group employs the GRIDTIDE backdoor to blend malicious traffic with legitimate cloud API activity and utilizes living-off-the-land techniques, including SSH lateral movement and the creation of malicious systemd services. GTIG has confirmed 53 intrusions across 42 countries and identified suspected activity in at least 20 additional nations, with a focus on exfiltrating sensitive communications data. Google has taken significant disruption actions against UNC2814, including infrastructure takedowns and the release of IOCs to aid in detection.