Google Strengthens Global Cybersecurity After Dismantling a Vast Digital Espionage Network

On February 25, 2026, Google announced the dismantling of a vast cyberespionage operation attributed to actors linked to China, which had reportedly been active for nearly a decade, dating back to at least 2017. The information was initially released by its threat intelligence team, the Google Threat Intelligence Group, and later picked up by various international media outlets. The fact that genuine company tools such as Google Sheets were used to carry out covert and malicious activities was what particularly drew attention to the story. The operation was recognized as one of the most extensive in terms of geographic scope and duration in recent years, impacting various key sectors.

As for the sequence of events, Google detected and dismantled a cyberespionage network that had compromised at least 53 organizations in 42 countries, including government entities and telecommunications companies. The group responsible, identified as UNC2814, used malware known as GRIDTIDE that communicated with its operators via Google Sheets documents, leveraging their features as a command-and-control channel to avoid detection. This technique allowed the attackers to hide their activities within legitimate cloud service traffic. In response, Google proceeded to remove the infrastructure used by the attackers, close the involved accounts, and strengthen its detection systems, in addition to collaborating with affected organizations to mitigate the damage

The operation has been largely neutralized thanks to Google’s actions, although the incident highlights the sophistication and persistence of this type of threat. While no new activity directly linked to this campaign has been reported since its dismantling, cybersecurity experts warn that the perpetrators could adapt their methods and resurface using other platforms or similar techniques.