ToddyCat, an advanced persistent threat (APT) gang that targets the government and defence industries, has been seen collecting stolen data "on an industrial scale" from victim organisations in Asia-Pacific.
Kaspersky researchers first disclosed details regarding the elusive gang's actions in 2022, despite the fact that it has been functioning since December 2020.
ToddyCat is believed to be a Chinese-speaking gang, though its origins and ties are unknown.
Initially, the threat group targeted only certain organisations in Taiwan and Vietnam. When the ProxyLogon vulnerabilities in Microsoft Exchange Server were discovered in early 2021, it broadened the scope of its operations, now targeting multiple European and Asian organisations.
ToddyCat upgraded its tools and strategies in 2023, and launched a long-running attack against government entities and telecom providers in multiple Asian countries.
In Kaspersky's most recent review of the group, published last week, researchers Andrey Gunkin, Alexander Fedotov, and Natalya Shornikova explained the techniques the gang had lately been seen employing to exfiltrate massive volumes of data.
“During the observation period, we noted that this group stole data on an industrial scale,” researchers explained. “To collect large volumes of data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor systems they attack.”
One of the group's attacks was its predilection for creating many tunnels with various tools to gain access to the infrastructure of the organisations it targeted.
This allowed the gang to continue using the compromised systems even after one of the tunnels was identified and eliminated, according to the experts.
ToddyCat used reverse SSH tunnels to get access to remote network services. The gang also employed SoftEther VPN, an open-source tool that allows for the establishment of VPN connections using a variety of popular protocols.
“In virtually every case we observed, the attackers renamed vpnserver_x64.exe to hide its purpose in the infected system,” the researchers added. “To transfer the tools to victim hosts, the attackers used their standard technique of copying files through shared resources, and downloaded files from remote resources using the curl utility.”
To protect against the gang, the researchers advised defenders to add the resources and IP addresses of cloud providers that allow traffic tunnelling to their firewall deny lists.
The researchers also recommended limiting the tools administrators can use to remotely access hosts.
