Researchers Uncover ‘Terracotta’ Chinese VPN Service Used by APT Crews for Cover

Building a business can be expensive and time-consuming, and owners will look for ways to save money wherever they can. Researchers from RSA Security have found a VPN provider in China that is taking this to an unusual extreme: hacking Windows servers around the world for use as VPN nodes on a network that is used as cover by some APT groups.

The VPN provider, which RSA’s researchers refer to as Terracotta, sells a commercial service under several different brands in China. It has some legitimate nodes on its VPN network, but much of the network comprises hacked Windows servers, mainly in small businesses and organizations that don’t have their own IT or security staffs. The hacked servers are located in China, South Korea, the United States, and some countries in Eastern Europe.

The VPN network is used by consumers in China, but RSA officials say that some APT groups, including a crew known as Deep Panda, which has been responsible for many cyberespionage campaigns. The Deep Panda crew has been tied to an attack on the United States Department of Labor in 2013 and other intrusions. RSA’s researchers discovered the Terracotta network, which it will discuss in more detail at Black Hat this week, while researching Deep Panda’s activities.

“We’ve seen a considerable amount of APT traffic on this network. They appear to use it for anonymization purposes and obfuscation,” said Peter Beardmore, senior consultant for threat intelligence at RSA.

RSA’s researchers say there is nothing to indicate that the operators of the Terracotta VPN are actually affiliated with Deep Panda or any of the APT groups that use it. Most of the nodes on the network are servers in legitimate organizations that have been hacked. In a typical operation, an attacker will find a target Windows server, use a brute-force attack to crack an administrator’s password to access the server and then disable the Windows firewall. The attacker will then disable any antimalware running on the server and install a remote access Trojan. With that done, he creates a new account on the box and installs the Windows VPN services.

The hacked server is then part of the Terracotta VPN network. The researchers have discovered hacked servers at a variety of organizations, including law firms, a large engineering company, some high-tech companies, schools and universities, and government agencies.

“All of the compromised systems, confirmed through victim-communication by RSA Research, are Windows servers. RSA Research suspects that Terracotta is targeting vulnerable Windows servers because this platform includes VPN services that can be configured quickly (in a matter of seconds). While most of the Terracotta victims are smaller organizations without dedicated security staff, large organizations were not immune to exploitation by the Terracotta perpetrators,” a research paper RSA released Tuesday says.

VPN services are key tools for many consumers in China who are looking for ways around that country’s censorship tools and online controls. The services are marketed openly to consumers, and researchers say that it’s highly likely that the Chinese government’s signals intelligence organization has a good method for monitoring the traffic on VPN services. But the business model for the Terracotta service is what makes it stand out.

“Why would a business need to hack servers for use in a VPN ecosystem, when Virtual Private Servers (VPS) are so readily and inexpensively available? Currently, high-quality VPS’s with sufficient power for use as a VPN node can be leased for as little as $5.00 per month in the U.S. However, VPN traffic is more bandwidth-intensive than CPU-intensive. Since many VPS solutions provide a base-level of bandwidth and charge for overage, the cost of bandwidth for a VPN service such as Terracotta would significantly affect operating expenses,” the researchers wrote in their paper.

“Even if the monthly recurring bandwidth costs of using VPS servers were ignored, the logistics of managing the contracts and payments with foreign and domestic providers would add significantly to the cost of operations. Conservatively, RSA Research counted more than 300 different organizations behind the 1500+ nodes in the Terracotta VPN ecosystem.”

Image from Flickr photos of Michael Lusk.

Suggested articles