Adrian Johnson
TLDR:
- ToddyCat hacker group utilizes advanced tools for industrial-scale data theft primarily targeting governmental organizations in the Asia-Pacific region.
- They employ various data exfiltration tools like LoFiSe, Pcexter, Reverse SSH tunnel, SoftEther VPN, Ngrok, TomBerBil, WAExp, etc., to harvest and steal data from compromised systems.
The ToddyCat hacker group has been identified as a threat actor that uses a wide array of advanced tools to engage in industrial-scale data theft targeting primarily governmental organizations in the Asia-Pacific region. Security researchers at Russian cybersecurity firm Kaspersky have characterized ToddyCat as relying on multiple programs to collect large volumes of data from compromised hosts. The attackers use tools like Samurai, LoFiSe, Pcexter, and a mix of tunneling data gathering software to automate the data harvesting process and maintain continuous access to the systems they target.
The group, first documented in June 2022, has been involved in cyber attacks on government and military entities in Europe and Asia since at least December 2020. ToddyCat’s tradecraft includes utilizing tools like Reverse SSH tunnel with OpenSSH, SoftEther VPN disguised as innocent files, Ngrok, Krong, FRP client, Cuthead, WAExp, and TomBerBil to extract and exfiltrate data from compromised systems. They also maintain multiple connections to the infected endpoints through different tools to ensure access even if one of the tunnels is discovered.
To protect organizations from such attacks, Kaspersky recommends adding cloud service resources and IP addresses that provide traffic tunneling to firewall denylists. Users are also advised against storing passwords in browsers to prevent attackers from gaining access to sensitive information. By staying up to date on the latest threats and security measures, organizations can better defend against sophisticated hacker groups like ToddyCat.
