Nearly a decade had passed since they began operating in the shadows. The Gallium group — tracked by Google under the designation UNC2814 — moved silently through government and corporate networks in dozens of countries, gaining access, extracting information, and refining its methods without triggering visible alarms.
In February, Reuters reported that UNC2814 had compromised at least 53 organizations in 42 countries, with a sustained focus on government entities and telecommunications companies. Analysts described the campaign as a systematic intelligence-gathering operation.
The group used common tools, including Google Sheets, to conceal its activity within normal network traffic and evade conventional detection mechanisms. In one documented case, it deployed a backdoor called GRIDTIDE on platforms containing sensitive personal information, including identity records and telecommunications data.
The response was coordinated and forceful. Google and its technology partners neutralized the group’s operational infrastructure, canceled cloud-hosted projects, and disabled the accounts used for remote access and data extraction. The company noted that the activity was consistent with previous campaigns attributed to operators linked to Beijing.
The implications of these operations extend directly to Latin America. Víctor Ruiz, founder of the SILIKN cybersecurity center in Mexico, told Diálogo that gaps in defensive capabilities and the region’s integration into global digital networks make government agencies, telecommunications systems, and strategic sectors especially attractive targets. “This incident is a reminder that the threat from sophisticated cyber actors linked to China has not disappeared. On the contrary, they maintain persistent operations aimed at sustained access to critical systems,” Ruiz said.
“This dynamic is fueled by internal polarization and limited investment in technology, which lowers the priority of cybersecurity. As a result, attackers can maintain a prolonged presence in critical systems and use those platforms to expand the scope of their operations,” he added.
Tools, methods, and the doctrine of opacity
Advanced Persistent Threat (APT) groups linked to China do not improvise. Over time, they have built a sophisticated arsenal that include custom malware, exploitation of zero-day vulnerabilities, and proxy networks designed to conceal the true origin of intrusions. Their preferred targets are edge devices and platforms — routers, firewalls, and perimeter servers — that often operate with limited monitoring capabilities, according to Google Cloud’s Threat Intelligence Group.
“These groups do not act in isolation, but as part of sustained campaigns that exploit environments with weaker protection capabilities. In many cases, they use infrastructure in Latin American countries as an indirect access point to broader networks, particularly through government and telecommunications systems,” Ruiz said.
The strategy reflects a layered approach to penetration: exploiting the weakest links in the regional digital chain to gain access to higher-value targets. Underlying this dynamic is a legal and political framework that differentiates China’s technological ecosystem from that of many democratic countries.
Chinese laws require organizations and citizens to support national intelligence work and compel networks operators to provide technical assistance to security authorities when requested. This raises concerns about state influence over technology providers and the potential exposure of sensitive information connected to critical infrastructure, Ruiz emphasized.
“At the same time, these actors have adapted their methods to infiltrate widely used platforms. They use cloud services and commercial operating systems to hide their activity within normal traffic and maintain access to information,” he added.
Technological dependency and the shadow of the Digital Silk Road
Infrastructure decisions carry consequences that extend far beyond initial costs. The adoption of technologies promoted through competitive pricing strategies or the commercial influence of Chinese suppliers introduces critical considerations for national sovereignty in Latin America, the Center for the Opening and Development of Latin America (CADAL) indicated.
When digital infrastructure is operated by companies with direct ties to the Chinese state, data protection and system integrity can no longer be assumed automatically. The presence of Huawei and ZTE in telecommunications deployments across the region has raised growing concerns regarding technological autonomy and control over sensitive data, the center notes.
These dynamics form part of the broader Digital Silk Road initiative, through which China has steadily expanded its technological footprint across developing markets. Accepting this infrastructure without fully evaluating its long-term implications risks ceding control over elements of national digital architecture — and with it, the ability to determine who can access information and under what conditions.
Strategic sectors under siege: From governments to lithium
“In many Latin American countries, cybersecurity resources are focused on common threats like cybercrime, while operations by advanced persistent threat groups linked to the Chinese Communist Party require more specialized capabilities. This imbalance leaves entire networks exposed, not just individual systems,” Ruiz explained.
Bolivia, Colombia, Ecuador, and Peru are particularly vulnerable. Budgetary constraints combined with high levels of connectivity to international networks create conditions favorable to penetration. “Intrusions can spread beyond a specific system and compromise broader networks, including strategic sectors such as telecommunications, critical infrastructure, and government processes,” Ruiz said.
Empirical evidence reinforces those concerns. In April 2025, a cybersecurity review conducted jointly with U.S. Southern Command (SOUTHCOM) identified the presence of the China-linked APT15 group in Guatemalan Foreign Ministry systems. Guatemalan authorities acknowledged the intrusion and stated that the compromise dated to 2022 rather than representing a new breach.
Google Cloud has warned that these groups focus on the sustained infiltration of essential platforms, prioritizing access to data capable of influencing decision-making processes. Beijing’s interest does not stop with governments. Growing global demand for critical minerals has also transformed Latin America’s extractive sector into a high-value target.
A report by Prensario TI Latin America notes that lithium and copper from Argentina, Chile, and Peru have become targets of cyber activity aimed at obtaining information related to concessions and strategic assets. Control over that information can shape market conditions long before negotiations begin.
Proven support: Cooperation, resilience, and the cost of ignoring the threat
The response to these challenges cannot be isolated or purely reactive. Across the hemisphere, governments and strategic partners have increasingly emphasized cooperative approaches to cybersecurity resilience, information sharing, and the protection of critical infrastructure.
Regional initiatives have become an important part of that effort. Brazil’s Cyber Guardian exercise — considered one of the largest cybersecurity exercises in Latin America — brings together military institutions, government agencies, strategic companies, universities, and international partners to simulate attacks against critical infrastructure and strengthen coordinated cyber defense capabilities.
At the same time, SOUTHCOM has expanded cooperation with partner nations through joint cybersecurity reviews, technical assistance, training initiatives, and cyber defense collaboration. In Paraguay, a late 2024 joint cybersecurity review conducted with SOUTHCOM identified the China-linked Flax Typhoon group inside Paraguayan government systems, reinforcing the importance of continuous monitoring and protection of critical networks.
Costa Rica has also strengthened cyber cooperation with regional and international partners following major ransomware attacks in recent years. Collaborative initiatives supported the development of cybersecurity infrastructure, training, and the establishment of a Cyber-Security Operations Center aimed at improving national resilience against future attacks.
The cost of inaction remains high. “Ignoring these types of threats can lead to scenarios of persistent access to critical systems, where external actors maintain long-term monitoring capabilities over sensitive information. In many cases, compromised infrastructure is not eliminated after changes in government, allowing these operations to continue on a sustained basis,” Ruiz warned.
Unilateral dependence on a single technology provider can further deepen structural vulnerabilities. “Diversifying infrastructure and strengthening our own capabilities […] becomes key to reducing vulnerabilities and limiting exposure to these types of operations,” concluded Ruiz.
Mutual trust built on transparency, interoperability, and sustained cooperation is not a luxury; it is becoming an essential component of any cybersecurity strategy that aspires to long-term resilience.
Defending Latin America’s digital autonomy requires resilience, cooperation, and openness. In the face of opaque systems and centralized control models, transparency and trusted partnerships increasingly emerge as pillars of regional stability.
