Chinese hackers hijack commercial VPN service to launch cyberattacks

The Terracotta VPN network is made up of compromised Microsoft Windows servers.

RSA Research

Hacking groups are utilizing a commercial VPN service to mask cyberattacks originating from China.

On Tuesday at the Black Hat conference in Las Vegas, RSA Research unveiled research relating to a commercial VPN service offered in China. Dubbed Terracotta by the researchers, the VPN service comprises of over 1500 virtual private network (VPN) nodes obtained mainly through exploiting vulnerable Windows-based servers used by legitimate organizations.

New victim slave nodes are constantly added to Terracotta without the knowledge or permission of legitimate companies operating the servers. The service itself -- offered under a variety of different brand names -- is commercial and marketed as a way for individuals to circumvent the Great Firewall of China censorship program. In addition, Terracotta can help mask online users, which can be invaluable to individuals in a country where activists do not prove popular with the ruling party.

See also: China's 'Great Cannon': Taking censorship across country borders

Read this

10 steps to erase your digital footprint

How do you vanish online? Follow these 10 steps to get started.

Read More

RSA says node hijacking is likely to be a way to cut costs as Terracotta is offered for approximately $3 a month to Chinese consumers. While there is no evidence to suggest the commercial service is connected to threat actors in a darker sense, the team have discovered a number of advanced persistent threat (APT) groups using the VPN for their own illegal ends.

"Often cybersecurity practitioners in large organizations (likely APT targets) will restrict or block known IP addresses of commercial VPN networks. The APT actors utilizing the Terracotta network have effectively overcome this line of defense, because Terracotta's practices are fundamentally different from legitimate commercial VPN networks," RSA notes.

"To a potential APT victim, traffic emanating from the Terracotta node could appear as legitimate traffic from a legitimate domestic organization, when in fact that organization is a Terracotta victim with an infected server."

Victims include a Fortune 500 hotel chain, universities in Japan, Taiwan and the US, tech firms, Windows enterprise app developers and a law firm. Compromised nodes are located in countries including the United States, South Korea, Hong Kong, Russia and Canada.


Groups including Deep Panda are using the service to mask their activities. Discovered in July last year, the threat actors are believed to have broken into US government systems in order to make off with lists of federal employees who have applied for top-level security clearances. The operations' sophistication and complexity indicated such an attack could be state-sponsored, although Chinese officials dismissed such claims.

As both legitimate and APT traffic is flowing through the VPN's networks, ascertaining what is legitimate and what is not is difficult -- and plays into APT group hands as a result.

The team says:

"An ounce of prevention is worth a pound of cure." Certainly this idiom from Ben Franklin applies to efforts to defend against this class of threats (not particularly sophisticated, opportunistic, but potentially very costly).

RSA Research assesses that had the Windows firewall been turned on, and the default 'Administrator' account been renamed in each of the victim systems examined, the systems would not have been compromised with the methods employed by Terracotta."

It is not just establishing basic firewall and user protection on corporate networks which must be monitored to prevent firms becoming victims of such operations. RSA also says others in the business supply chain did not establish enough protection from digital threats, and, therefore, become a peripheral risk to larger companies.

Business is now a networked game, and so entities which are connected in today's corporate realm have to start communicating more effectively and collaborating on cybersecurity. One weak link is all it takes.

Read the full report.

Read on: Top picks

In pictures:


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All