Key Points
For years, a hacking group linked to the Chinese government sat inside telecommunications companies across the Americas, Africa, and Asia — collecting personal data that lets an intelligence service know who someone is, where they live, and who they call. On Wednesday, Google revealed it had shut down the operation. The question for Brazil is how long the hackers had access, and what they took.
Why Telecoms Are the Target
Brazil’s major carriers — Vivo, Claro, TIM, and Oi — collectively hold the personal records of virtually every adult in the country: CPF numbers, addresses, phone records, and billing data. For a foreign intelligence service, breaching a telecom is about building a surveillance map — identifying persons of interest and monitoring their communications through the operator’s own systems, including the lawful intercept infrastructure that carriers maintain for court-ordered wiretaps.
Google’s report does not name specific Brazilian companies among the 53 confirmed victims, but identifies the Americas as one of the campaign’s target regions and confirms that the hackers sought data including national identity numbers and voter IDs — categories that map directly onto Brazil’s CPF and título de eleitor.
Hidden Inside Google Sheets
The group, tracked as UNC2814, used a backdoor called GRIDTIDE that disguised its communications as ordinary cloud traffic by routing commands through the Google Sheets API. The malware checked a spreadsheet cell for instructions, executed them, and wrote results back — making its activity nearly invisible to standard monitoring. Google said the campaign is separate from Salt Typhoon, which penetrated major U.S. telecoms, but the two share a common logic: getting inside the infrastructure that carries a country’s communications.
A Familiar Vulnerability
Brazil is no stranger to telecom espionage. In 2023, Federal Police revealed that Bolsonaro’s intelligence agency had used an Israeli tool called FirstMile to track journalists, politicians, and Supreme Court justices — exploiting a vulnerability in mobile signaling protocols. Anatel opened proceedings but acknowledged the attacks bypassed operators without their knowledge.
The UNC2814 campaign operates at a different scale. Where FirstMile exploited a protocol flaw from outside, these hackers burrowed directly into telecom systems from within, planting persistent backdoors that could remain active for years. Google said the group’s VPN infrastructure dates to at least July 2018 and that many of the compromised organizations had likely been breached for years before detection.
China’s embassy rejected the findings, calling them an attempt at defamation. Google terminated the attackers’ cloud access and seized their domains but warned that the group will try to rebuild. For a country where three carriers serve most of the population and significant portions of the network run on Chinese-made equipment, the report is less a revelation than a confirmation of a risk Brazil has been slow to confront.