The Russian hacker group known as ToddyCat has drawn significant attention for employing an array of sophisticated tools to maintain access to compromised environments and extract sensitive information. Recently, Russian cybersecurity firm Kaspersky has classified this threat actor as a data harvester conducting operations primarily against governmental organizations—some associated with defense—across the Asia-Pacific region.
Kaspersky’s analysis highlights the importance of automation in ToddyCat’s data theft strategies, emphasizing the necessity for attackers to streamline the collection process. According to cybersecurity researchers Andrey Gunkin, Alexander Fedotov, and Natalya Shornikova, efficiently harvesting vast volumes of data from multiple hosts is critical, leading to the adoption of diverse methods to ensure continuous access to targeted systems.
ToddyCat was initially reported on in June 2022, following a series of cyber attacks that have been linked to government and military entities in Europe and Asia dating back to at least December 2020. The group is known for utilizing a backdoor known as Samurai, which grants them remote access to infected systems. A more recent investigation into their methodologies has unveiled additional sophisticated data exfiltration tools such as LoFiSe and Pcexter, which facilitate the uploading of stolen data to Microsoft OneDrive.
Among the latest tools in ToddyCat’s arsenal are various methods for tunneling and data collection, activated after the group gains access to privileged user accounts within their targets. Techniques employed include the use of a Reverse SSH tunnel, the SoftEther VPN (often masquerading as benign applications), as well as Ngrok and Krong to encrypt and redirect command-and-control traffic to specific ports on compromised systems. Other tools such as the FRP client, Cuthead—used to search for specific document types—and WAExp, which archives data from the WhatsApp web application, have also been detected in their operations.
Kaspersky observers note that maintaining multiple simultaneous connections from compromised endpoints to the group’s infrastructure is a strategic fallback, designed to ensure continued access even if one channel is disrupted. By employing such diverse techniques, ToddyCat aims to obscure their activities and evade detection.
Security experts from Kaspersky stress that the group employs various strategies to avoid detection, a tactic that heightens the threat to organizational security. To fortify defenses, it is recommended that organizations implement measures to denylist the IP addresses and resources of cloud services facilitating traffic tunneling. Additionally, it is advised that users refrain from storing passwords within browsers, which poses a significant risk by enabling attackers to access sensitive credentials easily.
In conclusion, ToddyCat’s operations serve as a stark reminder of the evolving and intricate nature of cyber threats. Organizations, particularly those in sensitive sectors, must remain vigilant and adopt robust cybersecurity measures to mitigate potential risks. The practices exhibited by ToddyCat illustrate a combination of tactics that align with the MITRE ATT&CK framework, including initial access, persistence, and privilege escalation, reinforcing the need for comprehensive strategies in threat prevention and incident response.
