- The Chocolate Factory announced the Google Threat Intelligence Group-led actions on Wednesday and said that, in partnership with other teams, it terminated all Google Cloud Projects that had been controlled by UNC2814, a group that GTIG has tracked since 2017. They also disabled all known UNC2814 infrastructure and accounts, and revoked access to the Google Sheets API calls used by the Chinese snoops for command-and-control (C2) purposes.
- “As of Feb. 18, GTIG’s investigation confirmed that UNC2814 has impacted 53 victims in 42 countries across four continents, and identified suspected infections in at least 20 more countries,” the threat hunters said in the report.
- The security sleuths uncovered this campaign during a Mandiant investigation into suspicious activity in a customer’s environment. Specifically, this binary, “/var/tmp/xapt,” initiated a shell with root privileges, and then executed a command to retrieve the system’s user and group identifiers to confirm it had successfully escalated to root.
- Google suspects the payload was named xapt, after the command-line tool in Debian and Ubuntu systems, to make it easier to hide in the victim’s environment and look like a legitimate tool.
- The intruders also used a novel backdoor, Gridtide, that abuses legitimate Google Sheets API functionality to disguise its command-and-control (C2) traffic. Mandiant has linked Gridtide to UNC2814.
- The intruders also used a novel backdoor, Gridtide, that abuses legitimate Google Sheets API functionality to disguise its command-and-control (C2) traffic. Mandiant has linked Gridtide to UNC2814.
- After breaking in, the spies moved laterally via SSH, performed reconnaissance, escalated privileges, and then deployed the Gridtide backdoor using a command, “nohup ./xapt,” that allows it to run even after the user closes the session.
- “Subsequently, SoftEther VPN Bridge was deployed to establish an outbound encrypted connection to an external IP address,” the threat intel team wrote. “VPN configuration metadata suggests UNC2814 has been leveraging this specific infrastructure since July 2018.”
- The C-based backdoor uses Google Sheets as its C2 platform, can execute shell commands, and can upload and download files. In this case, the attacker deployed Gridtide on an endpoint containing personal information - likely to identify and track persons of interest - including full name, phone number, date and place of birth, voter ID and national ID numbers.
Can we do tge same for NSA, CIA FBI, ICE and all the other (and kill palantir in the process) if spying is wrong ? Or is it just that the US empire of doom is good in doing so ?
What are your thoughts on the Chinese state-sponsored espionage group from this post?
Same shit as any state sponsored espionage, we would all be better getting rid of them , including CLOUD, FISA and PATRIOT acts.
Thank you for reminding me that not just China’s state-sponsored espionage is bad.
I hope you can drop by some posts about Palantir to remind people that it’s also bad when China does surveillance too. (Since you seem pretty knowledgeable, do you have any good examples of China’s surveillance state off the top of your head?)
I saw when you said America Bad the first time too. Do you have any insights about the contents of this post?
About the attack ? Seems clever, but I am only a software engineer, no specialization in security. Also, further proof that relying on only a handful of software companies make the whole IT world quite unreliable
Are you impressed by the cleverness of Palantir too?
It’s very strange you’d come into a thread with nothing to offer except Two Minutes Hate against the Bad Country, but can’t be bothered to think about what the thread is about. Nationalism is a cancer of the soul.
Incite imply derail
Incite imply derail
Fucking state sponsored tactical bullshit
Now you’re against “state sponsored bullshit” after pretending you weren’t? Okay. I’m glad to hear you’re against China’s behavior now.
I don’t agree with you that Melusine is state-sponsored by China, but since you accidentally replied to me instead of him, there you go.
They were having a level headed discussion about how prevalent state sponsored spying is in GENERAL
Then you come in with your imply, and instigate divide bullshit (which clowns won’t look up the definitions for because they’re clowns) that sounded like an LLM threw up all over the comment section (governments use LLMs now to help to write and attack outside ideas and steer conversations. Like they did before but with AI now)
Posts like yours are easy to spot but hard to prove to the rest of the herd because maybe your just some asshat not some actual like THREAT because they don’t WANT to believe that’s how the world works. Cause they’re clown people that don’t want to know how it works and like the blissful ignorance
But this is clear bs tactical and intentional manipulation, and while its effective on clowns its not honest and its not effective on anyone else
Tagging in here cause youre obtuse af
Inherently? No. Its always a manner of why and how, whats to gain, whats done with it after, ect.
Like literally everything else morality is a construct determined by every factor that makes it up, every influence, every refraction, of every effect it had over infinity
Punching you in the face, moral? Idk, maybe. It depends I guess
Do you understand a little better? Now stop the posturing games once you calm tf down plz
Don’t be so quick to tell off @Melusine@tarte.nuage-libre.fr for posturing! Maybe they genuinely hate all spying, including the spying committed by the CCP here.
If they didn’t, then complaining about it would be posturing, wouldn’t it, comrade?
Speaking of which, why don’t you tell me what you think of the state-sponsored people in this thread? I prefer on-topic discussion over virtue signaling.
Suck my dick you clearly state sponsored lunatic 👍
I’ll save the effort engaging with your weird… ass… or whatever tf you clown LLMs have these days