GBAF Logo
Finance

Google disrupts Chinese-linked hackers that attacked 53 groups globally

Published by Global Banking & Finance Review

Posted on February 25, 2026

3 min read

· Last updated: April 2, 2026

Add as preferred source on Google
Google disrupts Chinese-linked hackers that attacked 53 groups globally
cybersecurity telecommunications risk management fintech
Global Banking & Finance Awards 2026 — Call for Entries

By AJ Vicens Feb 25 (Reuters) - Google disrupted a Chinese-linked hacking group that breached at least 53 organizations across 42 countries, the company said Wednesday. The hacking group, tracked as

Google Halts Chinese-Linked Hacking Spree Hitting 53 Orgs in 42 Nations

By AJ Vicens

Feb 25 (Reuters) - Google disrupted a Chinese-linked hacking group that breached at least 53 organizations across 42 countries, the company said Wednesday.

Operation Details and Security Implications

The hacking group, tracked as UNC2814 and "Gallium,” has a nearly decade-long history of penetrating government organizations and telecommunications companies, the company said in findings shared exclusively with Reuters.

Who Was Targeted and How

“This was a vast surveillance apparatus used to spy on people and organizations throughout the world,” John Hultquist, chief analyst with Google Threat Intelligence Group, said.

Google’s Disruption Actions

Google and unnamed partners terminated Google Cloud projects controlled by the hacking group, identified and disabled internet infrastructure it was using and disabled accounts the group used to access Google Sheets, which it used to carry out its targeting and data theft operations.

No compromise of Google products
Use of Google Sheets to evade detection

Infrastructure and accounts disabled

Cloud projects terminated

Using Google Sheets allowed the group to evade detection and blend into normal network traffic and was not a compromise of any Google product, the company added.

Charlie Snyder, senior manager of Google Threat Intelligence Group, said the group had confirmed access to 53 unnamed entities across the 42 countries, with potential access in at least 22 more countries at the time of disruption.

GRIDTIDE Backdoor and Data Access

Snyder declined to identify the compromised entities, but said in one case the group had installed a backdoor Google calls “GRIDTIDE” on a system containing full names, phone numbers, dates of birth, place of birth, voter ID and national ID numbers. 

The targeting is consistent with efforts to identify and track select targets, the company said. “Similar campaigns have been used to exfiltrate call data records, monitor SMS messages, and to even monitor targeted individuals through the telco’s lawful intercept capabilities.”

China’s Official Response

Chinese Embassy spokesperson Liu Pengyu said in a statement that "cyber security is a common challenge faced by all countries and should be addressed through dialogue and cooperation.

"China consistently opposes and combats hacking activities in accordance with the law, and at the same time firmly rejects attempts to use cyber security issues to smear or slander China."

Distinct from 'Salt Typhoon' Campaign

The activity is distinct from separate high-profile, telecommunications-focused Chinese hacking activity tracked as “Salt Typhoon,” Google said. That campaign, which the U.S. government has linked to China, targeted hundreds of U.S. organizations and prominent U.S. political figures.

(Reporting by AJ Vicens in Detroit; Editing by Stephen Coates)

Key Takeaways

  • Google disrupted a Chinese-linked group, UNC2814/Gallium, with confirmed breaches at 53 organizations across 42 countries.
  • Attackers abused Google Sheets for command-and-control to blend in with normal traffic; no Google product was compromised.
  • Google and partners terminated related Google Cloud projects, disabled attacker infrastructure and access accounts.
  • A GRIDTIDE backdoor was found on a system holding sensitive PII such as full names, phone numbers and national IDs.
  • This activity is distinct from the separate telecom-focused Salt Typhoon campaign linked to China.

References

Frequently Asked Questions

What is the main topic?
Google disrupted a Chinese-linked hacking group, UNC2814/Gallium, that breached 53 organizations in 42 countries. The operation disabled attacker-controlled cloud projects, infrastructure and accounts.
How did the hackers evade detection?
They leveraged Google Sheets for command-and-control, allowing malicious traffic to blend with normal enterprise activity. Google says this was not a compromise of its products.
What data was at risk and who was targeted?
Victims were unnamed global entities, including government and telecom targets. In one case, a GRIDTIDE backdoor accessed PII such as names, phone numbers, birth details and national IDs.

Tags

Related Articles

Image for Trump tells Fox News Iran can call US if it wants to negotiate

Trump tells Fox News Iran can call US if it wants to negotiate

Image for Australia's Wong to visit Japan, China, South Korea to discuss energy security

Australia's Wong to visit Japan, China, South Korea to discuss energy security

Image for Hungary's Magyar to meet EU's von der ​Leyen for talks on EU funds this week

Hungary's Magyar to meet EU's von der ​Leyen for talks on EU funds this week

Image for Switzerland angers Italy by claiming costs of treating Crans-Montana fire victims

Switzerland angers Italy by claiming costs of treating Crans-Montana fire victims

Image for Russian defence minister visits North Korea

Russian defence minister visits North Korea

Image for Fertiliser plant in Russia's Vologda region damaged in Ukrainian drone attack, governor says

Fertiliser plant in Russia's Vologda region damaged in Ukrainian drone attack, governor says

More from Finance

Explore more articles in the Finance category

Image for Close Brothers will not take legal action against Britain's car finance redress scheme, Sky News reports
Close Brothers will not take legal action against Britain's car finance redress scheme, Sky News reports
Image for Germany's far-right AfD rises to record 28%, INSA poll shows
Germany's far-right AfD rises to record 28%, INSA poll shows
Image for German government suspects Russia of Signal attack targeting politicians, sources say
German government suspects Russia of Signal attack targeting politicians, sources say
Image for Romania finds parts of second drone after overnight Russian attack on Ukraine
Romania finds parts of second drone after overnight Russian attack on Ukraine
Image for China condemns EU's inclusion of Chinese entities in sanctions package against Russia
China condemns EU's inclusion of Chinese entities in sanctions package against Russia
Image for Russian parliament speaker in North Korea to mark Pyongyang's troop deployment in Ukraine war
Russian parliament speaker in North Korea to mark Pyongyang's troop deployment in Ukraine war
Image for Macron reaffirms efforts to reopen Strait of Hormuz, as TotalEnergies warns of energy shortages
Macron reaffirms efforts to reopen Strait of Hormuz, as TotalEnergies warns of energy shortages
Image for France's Macron says EU mutual assistance clause is unambiguous
France's Macron says EU mutual assistance clause is unambiguous
Image for US to let Venezuela pay Maduro's lawyer in drug trafficking case
US to let Venezuela pay Maduro's lawyer in drug trafficking case
Image for Italy votes down equal parental leave while fathers redefine their role online
Italy votes down equal parental leave while fathers redefine their role online
Image for German auto industry faces even tougher competition as China economy slows
German auto industry faces even tougher competition as China economy slows
Image for Romania says drone fragments damage property during overnight Russian attack on Ukraine
Romania says drone fragments damage property during overnight Russian attack on Ukraine
View All Finance Posts