Even as the hacker group 'DragonForce Malaysia' is keeping up its onslaught of cyber attacks against India, the latest research has revealed a new hacker group that has targeted India at least twice to date.
Worryingly, unlike DragonForce’s indiscriminate targetting of Indian websites and servers, the new hacker group limits itself exclusively to high-value targets in the government and defence sector.
The group, dubbed 'ToddyCat', was discovered earlier this year by researchers at Kaspersky, a leading cybersecurity and anti-virus provider. It has been classified as an Advanced Persistent Threat (APT) due to its relentless and organised malicious activities, and Kaspersky published a detailed report of its findings last week on its blog SecureList.
“ToddyCat is a relatively new APT actor that we have not been able to relate to other known actors, responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. We still have little information about this actor, but we know that its main distinctive signs are two formerly unknown tools that we call Samurai backdoor and Ninja Trojan,” the update on SecureList said.
A backdoor is an unauthorised method of gaining entry into a system, bypassing normal security and authentication procedures. Trojans are files that look innocuous but are loaded with malware, named after the Trojan Horse of Greek mythology.
Research so far indicates that ToddyCat first became active in December 2020, when it targetted servers in Taiwan and Vietnam. Based on the low intensity of the attacks in these two countries, it is suspected that ToddyCat was just testing its arsenal at this time.
However, from February to March 2021, Kaspersky observed a rapid escalation, with ToddyCat exploiting a now well-known vulnerability in the servers of a major email service provider. ToddyCat’s attacks were observed across Asia and Europe, including in India.
Then, in May last year, researchers once again noted that ToddyCat had targetted India as well as several other countries in Asia. This time, the APT had also added three new countries to its list of targets. Apart from exploiting vulnerabilities in servers, ToddyCat has also been observed to be sending malware-loaded files to its targets via Instagram, Kasperky said.
“The affected organizations, both governmental and military, show that this group is focused on very high-profile targets and is probably used to achieve critical goals, likely related to geopolitical interests. Based on our telemetry, the group shows a strong interest in targets in Southeast Asia, but their activities also impact targets in the rest of Asia and Europe,” Kaspersky’s report states.
In a separate statement issued after the SecureList report was released, Giampaolo Dedola, a security expert at Kaspersky, observed, “ToddyCat is a sophisticated threat actor with elevated technical skills, which is able to fly under-the-radar and make its way into the top-level organizations. Despite the number of loaders and attacks discovered during the last year, we still don’t have complete visibility of their operations and tactics. Another noteworthy characteristic of ToddyCat is its focus on advanced malware capabilities – Ninja Trojan got its name for a reason – it is hard to detect and, therefore, hard to stop.”
(To receive our E-paper on whatsapp daily, please click here. To receive it on Telegram, please click here. We permit sharing of the paper's PDF on WhatsApp and other social media platforms.)
