UNC2814
Intelligence Profile
UNC2814 is a suspected PRC-nexus cyber espionage group that has targeted telecommunications providers and government entities globally since at least 2017. The group employs the GRIDTIDE backdoor to blend malicious traffic with legitimate cloud API activity and utilizes living-off-the-land techniques, including SSH lateral movement and the creation of malicious systemd services. GTIG has confirmed 53 intrusions across 42 countries and identified suspected activity in at least 20 additional nations, with a focus on exfiltrating sensitive communications data. Google has taken significant disruption actions against UNC2814, including infrastructure takedowns and the release of IOCs to aid in detection.
Threat Analysis
UNC2814 is a advanced-sophistication threat actor attributed to China, engaged in cyber operations with a primary motivation of espionage.
The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.
Classified as an advanced threat actor, UNC2814 likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.
Known Campaigns
UNC2814 is a espionage threat actor attributed to China. UNC2814 is a suspected PRC-nexus cyber espionage group that has targeted telecommunications providers and government entities globally since at least 2017. The group employs the GRIDTIDE backdoor to blend malicious traffic with legitimate cloud API activity and utilizes living-of...