Kaspersky shared research Tuesday presenting an advanced persistent threat actor — designated ToddyCat — of currently unknown origin.
Antivirus vendor Kaspersky tracked the advanced persistent threat (APT) actor’s activities back to December 2020; in the time since, ToddyCat has attacked high-profile target across European and Asian countries including Taiwan, Vietnam, India, Russia, the United Kingdom, Iran and more. According to report author Giampaolo Dedola, a Kaspersky senior security researcher, ToddyCat’s targets include government organizations as well as military entities and contractors.
The actor’s initial activities from December 2020 to February 2021 consisted of compromising targeted Microsoft Exchange servers in Taiwan and Vietnam while utilizing “an unknown exploit that led to the creation of a well-known China Chopper web shell.” This web shell was then used for a “multi-stage infection chain.”
Dedola noted ToddyCat quickly escalated its activities from late February until early March, and exploited the now-infamous ProxyLogon vulnerability to attack more organizations across Europe and Asia. The report hypothesized that the unknown December exploit may also have been ProxyLogon.
Aspects of ToddyCat’s process changed over time, such as the actor’s expansion from solely Exchange servers to desktop attacks as well. But overall, Dedola said, ToddyCat “has continued its intense activity” since the initial escalation in March 2021.
Complete technical details of the threat actor’s process are available in Kaspersky’s report.
Though APTs are typically known for being sponsored by a nation-state of some kind, the report declined to attribute ToddyCat to one particular source. However, Dedola noted that there were parallels between ToddyCat and a number of Chinese-speaking threat groups.
“During our investigations we noticed that ToddyCat victims are related to countries and sectors usually targeted by multiple Chinese-speaking groups,” he wrote. “In fact, we observed three different high-profile organizations compromised during a similar time frame by ToddyCat and another Chinese-speaking APT group that used the FunnyDream backdoor.”
While there was overlap, Kaspersky was not confident enough to merge the two APTs together.
“Considering the high-profile nature of all the victims we discovered, it is likely they were of interest to several APT groups,” Dedola said. “Moreover, despite the occasional proximity in staging locations, we have no concrete evidence of the two malware families directly interacting.”
Dedola told SearchSecurity that the lack of strong evidence such as code and network overlaps between ToddyCat and other threat actors prevented a confident attribution. Additionally, he said, the attribution of any internet-based cyberattack is difficult.
“Usually, the actors behind the malware try to complicate their origin by wiping out all information that could help researchers or law enforcement agencies to identify and track them,” Dedola said. “Sometimes they even put false flags in order to point investigators in the wrong direction. Occasionally they make mistakes and leave artifacts that can hint at the language the attackers speak, but such situations are the exception rather than the rule.”
“That is why we at Kaspersky don’t speculate about attribution and can’t say with certainty what particular country is behind this or that attack.”
Alexander Culafi is a writer, journalist and podcaster based in Boston.
Evolve your Endpoint Security Strategy Past Antivirus and into the Cloud
Five Tips to Improve a Threat and Vulnerability Management Program
Demystifying the myths of public cloud computing
Towards an Autonomous Vehicle Enabled Society: Cyber Attacks and Countermeasures
Dig Deeper on Threats and vulnerabilities
Rob Joyce: China represents biggest long-term cyberthreat
Chinese cyber spooks exploit western sanctions on Russia
China emerges as leader in vulnerability exploitation
MoonBounce firmware bootkit shows advances in malicious implants