Google Caught a Spy Ring That Hid Inside Google Sheets

Google Sheets is probably open in a tab on your computer right now. It’s boring, familiar, and completely harmless. Or so most people assume.

Turns out, China-affiliated hackers saw that same harmless familiarity and decided to build an international spy operation inside it. And it worked for years before Google caught on.

How Hackers Weaponized a Spreadsheet App

Google’s Threat Intelligence Group, working alongside the Mandiant team it acquired back in 2022, recently busted a sophisticated espionage campaign they’re calling “GRIDTIDE.”

The group behind it? A China-affiliated hacking operation known as UNC2814. These aren’t newcomers. Google estimates this group has been active for close to a decade, quietly building out capabilities and infrastructure over years.

Their chosen weapon was remarkably mundane. Instead of deploying flashy malware or ransomware, they built a backdoor using the Google Sheets API. That programming interface let them collect usernames, hostnames, IP addresses, and other sensitive system information from compromised networks. All funneled quietly through a tool millions of people use for budget spreadsheets and meeting schedules.

Telecommunications and Government Were the Main Targets

GRIDTIDE wasn’t some scattered, opportunistic attack. This was a focused, long-running espionage campaign with clear priorities.

Google’s report confirms the system has been active since 2023. During that time, it reached verified victims across 42 countries, hitting 53 specific targets. Another 20 nations are suspected as additional victims. The primary focus fell on telecommunications providers and government agencies, exactly the types of organizations sitting on the most sensitive data.

It’s worth noting what this wasn’t. Google is careful to describe GRIDTIDE as state-sponsored espionage rather than theft or sabotage in the traditional sense. No data was visibly destroyed. No ransoms were demanded. Instead, attackers quietly collected intelligence and moved on, the digital equivalent of someone reading your mail and carefully putting it back.

Google Shut It Down, But the Lesson Sticks

The good news is that GRIDTIDE appears to be inoperable now. Google has shut down the accounts used to deploy the system, dismantled the underlying domains and infrastructure, and formally notified affected victims.

Still, the scale here is striking. Google attributes the breadth of this operation to “a decade of concentrated effort,” which means this wasn’t built overnight. Patient, well-resourced attackers had years to quietly expand their reach before anyone called it out publicly.

Why Common Tools Make Surprisingly Good Attack Vectors

Here’s the part that should genuinely stick with you. The most dangerous part of GRIDTIDE wasn’t some exotic zero-day exploit. It was the decision to hide inside Google Sheets, a platform so common and so trusted that unusual API traffic doesn’t immediately raise alarms.

Security teams are wired to watch for the unfamiliar. But when data moves through a legitimate, widely used application, it blends in. That’s precisely what makes this approach so effective, and so difficult to detect early.

It’s a reminder that attackers don’t always kick in the front door. Sometimes they just walk in through the tool you left open in your browser.

The fact that Google caught this at all speaks well of how seriously the company takes threat intelligence. But the sophistication and duration of GRIDTIDE shows that even everyday software can become infrastructure for state-sponsored spying when the right people are patient enough.