Google hosted a PRC espionage campaign for years, and now has published a very formal report framing the “disruption” (turning off their own API keys) as a national security achievement.
The report generates false legitimacy signals. Their framing positions Google as a hero against China, when the more accurate read is that Google was the unwitting (or indifferent) provider who eventually cleaned up a mess after their Mandiant team was pulled by a customer to look at a strange binary on a CentOS server.
The surveillance of dissidents and activists through compromised telcos in over 40 countries gets a few sentences of passive-voice acknowledgment. No analysis of which populations were endangered, which governments were complicit, or what obligations Google has to all the people whose PII was being exfiltrated through Google’s own API.
The report explicitly disclaims responsibility:
This activity is not the result of a security vulnerability in Google’s products.
Doesn’t that make it even worse? No discussion of why Google’s infrastructure is trivially weaponized for state espionage, or about the design changes to prevent it now and into the future.
Users are being set up to think about a company “taking action” against China and infer the cloud is being protected, when the actual story is that Google infrastructure was functioning uninterrupted as a conduit for a state actor C2 (GTIG tracked UNC2814 since 2017, and the IOCs they released cover infrastructure active since at least 2023).
Google is the drug company that discovered its product was causing organ failure in 42 countries, eventually pulled it from the shelf, then published a press release celebrating their pharmacovigilance program. No independent review of why Google Cloud was trivially weaponizable. No mandatory disclosure of how long they knew. No liability discussion. No institutional separation between the entity that profits from cloud adoption and the entity that decided when to act.
This GRIDTIDE report operates as a legitimacy-shield function, a form of moderation theater that displaces demand for the regulatory architecture that would actually constrain the problem.
Ok, ok, I know what the counter-argument will be. Let’s be honest. The technique is catalogued in MITRE ATT&CK. It’s a known, documented, years-old pattern across every major cloud provider. Every one of these services — Google Sheets, Google Drive, Dropbox, OneDrive, SharePoint — has the same design vulnerability: their APIs can’t distinguish legitimate use from espionage traffic because the espionage is legitimate use.
APT29 (Russia/SVR) used Google Drive and Dropbox for C2 against European embassies. APT43 (North Korea) used Google Drive and Dropbox for staging and delivery. APT37 (North Korea) used OneDrive. APT28 (Russia/GRU) used OneDrive via the Microsoft Graph API. China-nexus groups including UNC5330 used OneDrive. The Inception Framework/Cloud Atlas used Google Drive, OneDrive, and Dropbox simultaneously. Molerats used Dropbox, Google Drive, and Facebook. Symantec reported in 2024 that the number of espionage operations using legitimate cloud services for C2 had grown significantly, identifying multiple new backdoors like GoGra, Grager, and BirdyClient all using cloud APIs.
But let’s stick to the core issue here, which is corporate disinformation.
Google is the one publishing their own hero narrative. Microsoft hasn’t published a blog post celebrating the “disruption” of APT29’s use of OneDrive. Dropbox didn’t hold a press conference about Molerats. Google is claiming credit for disrupting a problem that exists across the entire cloud industry, that Google’s own infrastructure contributed to for years, and that Google has done nothing to address at the design level.
The “disruption” was turning off specific accounts — not fixing the architectural problem that makes every cloud API a potential C2 channel. The next GRIDTIDE? Just need a different spreadsheet service, as the report itself admits. Thanks for nothing Google.
…the actor could easily make use of other cloud-based spreadsheet platforms in the same manner…