Kaspersky on Tuesday shared research showing an advanced persistent threat actor – called ToddyCat – of currently unknown origin.

Antivirus vendor Kaspersky tracked the Advanced Persistent Threat (APT) actor’s activities through December 2020; Since then, ToddyCat has attacked high-profile targets in European and Asian countries, including Taiwan, Vietnam, India, Russia, UK, Iran, etc. According to report author Giampaolo Dedola, senior security researcher at Kaspersky, ToddyCat’s targets include government organizations as well as military entities and contractors.

The actor’s initial activities from December 2020 to February 2021 involved compromising targeted Microsoft Exchange servers in Taiwan and Vietnam while using “an unknown exploit that led to the creation of a well-known China Chopper web shell”. This web shell was then used for a “multi-step chain of infection”.

Dedola noted that ToddyCat quickly ramped up its activities from late February to early March and exploited the now infamous ProxyLogon vulnerability to attack more organizations in Europe and Asia. The report speculated that the unknown December exploit may also have been ProxyLogon.

Some aspects of ToddyCat’s process have changed over time, such as the actor’s expansion from only Exchange servers to desktop attacks as well. But overall, Dedola said, ToddyCat “has continued intense activity” since the initial escalation in March 2021.

Full technical details of the threat actor process are available in Kaspersky’s report.

Although APTs are generally known to be sponsored by some nation-state, the report declined to attribute ToddyCat to any particular source. However, Dedola noted that there are parallels between ToddyCat and a number of Chinese-speaking threat groups.

“During our investigations, we have noticed that ToddyCat victims are linked to countries and industries commonly targeted by multiple Chinese-speaking groups,” he wrote. “In fact, we observed three different high-level organizations compromised over a similar period by ToddyCat and another Chinese-speaking APT group that used the FunnyDream backdoor.”

Although there was overlap, Kaspersky was not confident enough to merge the two APTs together.

“Given the high-profile nature of all of the casualties we uncovered, it’s likely that they were of interest to multiple APT groups,” Dedola said. “Furthermore, despite the occasional proximity of the storage locations, we have no concrete evidence of the direct interaction of the two malware families.”

Dedola told SearchSecurity that the lack of strong evidence such as code and network overlaps between ToddyCat and other threat actors prevents a reliable attribution. Additionally, he said, attribution of any Internet-based cyberattack is difficult.

“Usually the actors behind malware try to complicate its origin by erasing any information that might help researchers or law enforcement identify and track it,” Dedola said. “Sometimes they even place false flags in order to steer investigators in the wrong direction. Sometimes they make mistakes and leave artifacts that may hint at the language spoken by the attackers, but such situations are the exception. rather than the rule.”

“That’s why at Kaspersky we don’t speculate on attribution and can’t say for sure which particular country is behind which attack.”

Alexander Culafi is a Boston-based writer, journalist, and podcaster.