Google Disrupts China-Tied Cyber Campaign That Hacked 42 Countries

Udumbara Udumbara
Feb 26, 2026 - 11:00 Updated: Feb 26, 2026 - 10:49
0
Google Disrupts China-Tied Cyber Campaign That Hacked 42 Countries

.

Google Threat Intelligence Group (GTIG) said on Feb. 25 that Google and certain of its cybersecurity partners disrupted a global espionage campaign that the group confirmed had hacked 42 countries and suspects infected at least 20 more.

GTIG has tracked the group as UNC2814/Gallium since 2017 and suspects it to be Chinese.

“This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas,” the report reads.
The campaign is characterized by stealth tactics and the targeting of cloud-hosted products to disguise its traffic. The group stated that this campaign is distinct and separate from Salt Typhoon, a major Chinese regime-backed cyberespionage campaign.

“This was a vast surveillance apparatus used to spy on people and organizations throughout the world,” said John Hultquist, GTIG chief analyst.

GTIG said its disruption efforts have terminated the group’s access to a backdoor, disabled its infrastructure, and revoked its accounts and access to relevant Google products.

The campaign came on the heels of the discovery of a novel backdoor the group used that Google tracks as Gridtide, “a sophisticated C-based backdoor with the ability to execute arbitrary shell commands, upload files, and download files.”

Charley Snyder, GTIG senior manager, said the backdoor was installed on a system that had access to phone numbers, dates and places of birth, voter IDs, and national ID numbers.

The group’s recent activity has targeted telecommunication providers and government organizations, according to the report.

“This prolific scope is likely the result of a decade of concentrated effort,” the report reads.

Google recently warned that foreign adversaries are targeting the U.S. defense industrial base in cyberspace. In a Feb. 10 report, it said that groups in Russia, North Korea, and primarily China have carried out sustained cyberattacks in recent months, the most active ever observed and posing “significant risk to the defense and aerospace sector.”

In both reports, Google found that edge devices were being exploited, highlighting the trend of malicious cyberactors targeting hardware such as routers, controllers, sensors, and smart devices that don’t have the same level of security as devices at the center of a network.

There are many times more edge devices than people on the planet, providing hackers with endless targeting options, and the majority of enterprise data is generated or processed on these devices.

“In modern warfare, the front lines are no longer confined to the battlefield; they extend directly into the servers and supply chains of the industry that safeguards the nation,” the GTIG Feb. 10 report reads, noting compromises up and down the supply chain and hiring processes.

Cybersecurity agencies around the world have increasingly sounded the alarm on Chinese state-backed cyberespionage, last year publishing a joint advisory cosigned by more than a dozen nations aimed at exposing the Salt Typhoon campaign.
.
Reuters contributed to this report. 
.
Read More