Google disrupts decade-long Chinese-linked espionage using Google Sheets

Google’s Threat Analysis Group announced on Feb. 25, 2026 that it and industry partners had disrupted a decade-long espionage operation run by a group tracked as UNC2814, also known in security communities as Gallium. The campaign, which Google says it observed since at least 2016, relied on Google Sheets as a covert command-and-control channel, allowing attackers to hide instructions inside legitimate cloud documents and maintain persistent access to compromised networks.

Google said its intervention removed infrastructure and account access the group used to manage implants, and that industry partners assisted in taking down related components. The company framed the disruption as an operational win against a state-linked threat that systematically abused mainstream collaboration tools to evade detection. Google did not release a victim list or quantify the number of infected endpoints in its public statement.

Security specialists have increasingly tracked a trend in which sophisticated actors repurpose cloud-native services as malware control channels. By piggybacking on trusted platforms such as document editors, actors can blend malicious traffic with normal user behavior, complicating network-level detection and forensic analysis. That shift raises risks for enterprises that rely on cloud collaboration as a backbone for daily operations.

The operational implications are immediate for IT and security teams. Administrators must assume that familiar cloud-hosted artifacts can be weaponized and broaden monitoring beyond traditional perimeter controls. Practical steps include auditing third-party application access, rotating service credentials, tightening OAuth consent scopes, and applying least-privilege controls to shared documents and APIs. For organizations that have delayed adopting zero-trust architectures, the Google disclosure serves as a concrete driver to accelerate those projects.

Market and regulatory consequences are likely to follow. Cloud providers can expect heightened scrutiny from corporate customers and regulators over how platform abuse is detected and mitigated. Insurers underwriting cyber risk will view this type of stealthy, long-running campaign as a factor driving more stringent underwriting terms and potentially higher premiums. The economic stakes are nontrivial: the average cost of a data breach was $4.45 million in 2023, underscoring how sustained access by espionage actors can translate into measurable financial damage for affected organizations.

Policymakers will face pressure to clarify responsibilities for abuse mitigation in shared cloud environments. The episode strengthens arguments for mandatory incident reporting for platform-level compromises and for closer public-private collaboration on takedowns and attribution. Attribution to state-linked groups also complicates diplomatic relations and may prompt targeted sanctions or countermeasures.

Longer term, cybersecurity defenses must adapt to an environment where legitimate productivity tools are both essential business assets and potential attack surfaces. The UNC2814 disruption highlights the need for continuous monitoring of authorized cloud activity, stronger identity controls, and persistent investment in threat hunting. For enterprises, the immediate takeaway is operational: assume that everyday collaboration documents can be adversary infrastructure and act accordingly to lock down access and visibility.