A hacking operation labeled ToddyCat continues to steal “large volumes of data,” primarily from governmental targets in the Asia-Pacific region, researchers say.

In its latest report on the group, Russian cybersecurity firm Kaspersky details the “tunneling” methods ToddyCat uses once inside a network, which include compromising VPN software and legitimate cloud providers, and abusing the SSH protocol for internet traffic. Tunneling essentially means creating ways to hide data in transit. 

The company does not attribute ToddyCat to any country or existing state-backed hacking group, but previous reports noted that targets included “high-profile entities in Europe and Asia” and digital infrastructure in Taiwan and Vietnam. 

Researchers at Israel-based Check Point previously identified an operation against organizations in Kazakhstan, Uzbekistan, Pakistan, and Vietnam that appeared to be connected to ToddyCat. In that report Check Point noted that other research ties ToddyCat to “Chinese espionage activity.”

Kaspersky says ToddyCat activity dates back to at least 2020. Lately it has been stealing data “on an industrial scale,” the researchers say.

By using different tunneling methods, Kaspersky says, ToddyCat is trying to ensure that if one data-stealing method fails, others are available. 

“To collect large volumes of data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor systems they attack.” Kaspersky said.