ToddyCat, an advanced persistent threat (APT) group that targets the government and defense sectors, has been observed hoovering up stolen data “on an industrial scale” from victim organizations in the Asia-Pacific region.
Researchers from Kaspersky first published details of the elusive gang’s activities in 2022, although it is known to have been operating since December 2020.
ToddyCat is believed to be a Chinese-speaking gang, but its origins and affiliations are unclear.
In its early days, the threat group targeted a small number of organizations in Taiwan and Vietnam. It expanded the scope of its attacks, targeting numerous European and Asian organizations, when the ProxyLogon vulnerabilities in Microsoft Exchange Server were disclosed in early 2021.
ToddyCat enhanced its toolset and techniques in 2023, and carried out a prolonged campaign against government entities and telecommunications providers in several Asian countries.
In Kaspersky’s latest analysis of the group, published this week, researchers Andrey Gunkin, Alexander Fedotov, and Natalya Shornikova outlined the tools the gang had been observed using recently to exfiltrate vast amounts of data.
“During the observation period, we noted that this group stole data on an industrial scale,” they wrote.
“To collect large volumes of data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor systems they attack.”
Persistent access enables prolific pilfering
One of the hallmarks of the group’s attacks was its preference for establishing several tunnels using different tools to access the infrastructure for the organizations it was targeting.
This enabled the gang to maintain access to the compromised systems even if one of the tunnels was discovered and eliminated, the researchers said.
“By securing constant access to the infrastructure, attackers are able to perform reconnaissance and connect to remote hosts.”
The tactics ToddyCat used included creating reverse SSH tunnels to gain access to remote network services.
The gang also used SoftEther VPN, an open-source solution that enables the creation of VPN connections via a number of popular protocols.
“In virtually every case we observed, the attackers renamed vpnserver_x64.exe to hide its purpose in the infected system,” the researchers said.
“To transfer the tools to victim hosts, the attackers used their standard technique of copying files through shared resources, and downloaded files from remote resources using the curl utility.”
On some occasions, ToddyCat accessed the remote infrastructure of its victims by tunneling to a legitimate cloud provider.
“An application running on the user’s host with access to the local infrastructure can connect through a legitimate agent to the cloud and redirect traffic or run certain commands,” the researchers explained.
To protect against the gang, they recommended defenders include the resources and IP addresses of cloud services that provide traffic tunneling on their firewall denylists.
“We also recommend limiting the range of tools administrators are allowed to use for accessing hosts remotely,” they added.
“Unused tools must be either forbidden or thoroughly monitored as a possible indicator of suspicious activity. In addition, users must be required to avoid storing passwords in their browsers, as it helps attackers to access sensitive information. Reusing passwords across different services poses a risk of more data becoming available to attackers.”
