Widely attributedUnknown

UNC2814

Suspected China-nexus cyber espionage group tracked by Google Threat Intelligence Group since 2017. Known for targeting telecommunications and government organisations across 42 countries using the GRIDTIDE backdoor which abuses Google Sheets API for covert C2 communications.

Compare attribution across sources →

Attribution signal

?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 Low

1.9

Low signal strength

Mentions3

Sources1

High conf.1

Last seenMay 2026

First observed

—

Last active

—

Origin

China

Aliases

Techniques

Campaigns

China

TargetsTelecommunicationsGovernment

RegionsAfricaAsiaAmericas

Attribution signals

3 mentions · 1 source

#1observedhigh

TTP match

mandiant

May 2026

"we recently observed UNC2814 use this form of expert persona prompting by directing the model to act as a senior security auditor or C/C++ binary security expert."

#2consistent withmoderate

VictimologyGeopolitical

mandiant

May 2026

"We assess the targeting of PII in this engagement is consistent with cyber espionage activity in telecommunications, which is primarily leveraged to identify, track, and monitor persons of interest."

Campaign: GRIDTIDE

#3suspectedmoderate

GeopoliticalVictimology

mandiant

May 2026

"The threat actor, UNC2814, is a suspected People's Republic of China (PRC)-nexus cyber espionage group that GTIG has tracked since 2017."

Campaign: GRIDTIDE

Hedge terms observed

consistent withobservedsuspected