VISIONHEIGHT INVESTIGATION VH-2026-010
March 2026 · Adversary Infrastructure Research
On February 25, 2026, Google Threat Intelligence Group and Mandiant published findings on UNC2814, a suspected PRC-nexus cyber espionage group that compromised at least 53 telecommunications and government organizations across 42 countries. The group deployed a novel backdoor called GRIDTIDE that abuses Google Sheets API for command-and-control communication, combined with SoftEther VPN Bridge for persistent encrypted access to victim environments. Google has explicitly noted that UNC2814 has no observed overlaps with the activity publicly reported as "Salt Typhoon."
Google's disclosure included 26 attacker IP addresses and over 150 C2 domains. VisionHeight independently analyzed these indicators using its Pulse Telemetry, which provides visibility into infrastructure activity patterns at scale. Our analysis uncovered telecom-targeting reconnaissance activity, three previously undisclosed infrastructure IPs, and early detection signals on multiple IOC IPs up to 13 months before public attribution.
Starting from Google's Disclosure
Google and Mandiant's report is one of the most comprehensive public disclosures of a PRC-nexus telecom espionage operation to date. It provided the community with detailed technical indicators and a coordinated disruption that included sinkholing C2 domains and notifying affected organizations.
But published IOCs describe infrastructure that has already been identified. The questions we wanted to answer were: what can we learn about how the operators behind UNC2814 prepare for their intrusions? And is there infrastructure the attacker used that nobody has published yet?
VisionHeight's Pulse Telemetry - our proprietary data layer that provides real-time observability into internet infrastructure usage - identified operator activity on the published IOCs and traced connections to previously unknown infrastructure through signals that are invisible to traditional threat intelligence sources.
Watching the Operators Prepare
The most significant finding from our analysis is direct observation of telecom-targeting reconnaissance conducted from UNC2814 infrastructure.
Operators were observed conducting extended research sessions studying Huawei core network equipment documentation, including the SPG2800 signaling gateway operation and maintenance procedures, HSS9860 Home Subscriber Server interfaces for subscriber data management, and GaussDB database administration materials. This was accompanied by use of database query tools and data encoding utilities from the same infrastructure - tooling consistent with an operator preparing to interact with telecom backend systems. During one operational session, an operator retrieved a credential from a paste-sharing service.
Separately, operators were observed conducting carrier reconnaissance targeting specific telecom providers in the Pacific Islands region, including extended browsing of carrier infrastructure details such as network identifiers and service configurations.
This activity was observed across multiple IPs over a period of several months in 2025. VisionHeight conducted a broader search across its full telemetry dataset and confirmed this pattern is unique to the UNC2814 infrastructure - no other datacenter or anonymized IPs exhibited a comparable concentration of telecom core network research.
The operators' focus was exclusively on Huawei equipment, consistent with preparation for intrusions against Huawei-equipped telecom networks. For defenders, this is targeting intelligence: observing what operators research provides early indicators of where the group may strike next.
Infrastructure Expansion
By tracking operator activity as it moved between published IOC addresses and previously unknown infrastructure, VisionHeight discovered three additional IP addresses associated with UNC2814 operations that were not included in Google's IOC list:
These operators were observed on these IPs over a period of several months before transitioning to published IOC infrastructure, where the carrier reconnaissance and telecom documentation research continued. The hosting providers - Vultr and LightNode - are consistent with UNC2814's documented infrastructure procurement patterns across Asia-Pacific VPS providers.
VisionHeight validated that all three IPs maintained consistent service configurations during the activity windows. No IP exhibited changes that would indicate reassignment to a different customer or purpose.
Operator Validation
A separate operator was observed exclusively on published IOC IPs with zero activity outside UNC2814 infrastructure. This operator bridged two distinct SoftEther VPN server IPs from Google's IOC list. The exclusive presence on attacker infrastructure, combined with the low activity density on those IPs, provides independent corroboration that the IOC IPs are dedicated operational nodes.
Early Detection
The table below focuses on the non-VPN IPs from Google's disclosure - the C2 hosting servers and attacker-operated IPs. SoftEther VPN server IPs are shared infrastructure that can be used by multiple actors, as opposed to the dedicated IPs where C2 domains are hosted and attacker operations are conducted.
VisionHeight's automated risk scoring engine had independently flagged several of these C2 and attacker IPs as anomalous months before Google's February 25, 2026 public disclosure:
These detections were generated automatically, without prior knowledge of UNC2814 or the GRIDTIDE campaign.
What This Means for Defenders
Google and Mandiant's GRIDTIDE disclosure represents a significant contribution to collective defense against PRC-nexus cyber espionage. VisionHeight's analysis aims to complement those findings by contributing an additional layer of operator-level and behavioral intelligence.
Published IOCs tell defenders what to block. Operator-level telemetry tells defenders what to expect next. In this case, the telecom reconnaissance activity observed on UNC2814 infrastructure reveals the group's operational preparation in detail - the specific equipment they are studying, the regions they are targeting, and the tools they are assembling. This is intelligence that can drive proactive defense before the next intrusion attempt.
UNC2814 represents one of the most prolific PRC-nexus espionage campaigns disrupted in recent years. Organizations in the telecommunications sector, particularly those operating Huawei infrastructure in the Pacific Islands and Southeast Asia, should remain vigilant for indicators of re-engagement.
The undisclosed IPs identified in this report are shared with the community as actionable intelligence for network defenders. VisionHeight welcomes collaboration with Google, Mandiant, and the broader threat intelligence community to further track and disrupt UNC2814's operations.
Indicators of Compromise
VISIONHEIGHT DISCOVERED (3)
202[.]182.115.166
38[.]54.112.27
45[.]77.42.238