A number of APT actors believed to be of Chinese origin are using a commercial VPN service to anonymize and obfuscate their attack activity.
Dubbed Terracotta, the VPN service is marketed mostly to Chinese users under multiple brand names, mostly as a means to bypass the Great Firewall of China.
“Terracotta’s network of 1500+ VPN nodes throughout the world are primarily obtained by hacking into inadequately protected Windows servers in legitimate organizations, without the victim’s knowledge or permission. New nodes are continually added as new victims are enlisted, and they are unpublished outside of the Terracotta user-base,” RSA researches have found.
“All of the compromised systems, confirmed through victim-communication by RSA Research, are Windows servers. [We] suspect that Terracotta is targeting vulnerable Windows servers because this platform includes VPN services that can be configured quickly (in a matter of seconds).”
The VPN operators aren’t picky – organizations with confirmed compromised Windows servers include Fortune 500 companies, application developers, universities, IT service providers, law firms, various IT service providers, and so on. “A common trait shared with all confirmed victims is that they had Internet-exposed Windows servers without hardware firewalls,” the researchers point out.
Most of the nodes are located in China, the US, and South Korea:
Obviously, the VPN operators chose to go this route in order to save money.
Among the APT actors that use the service is “Deep Panda” (or “Shell_Crew”), the group that is believed to be behind the attacks on US health insurer Anthem and the US OPM.
Some of these suspected nation-state actors have leveraged at least 52 Terracotta VPN nodes for exploitation of sensitive targets among Western government and commercial organizations, the researchers found.
There is no evidence that the Terracotta network and its operators are affiliated in anyway with the APT actors. So far it seems that the APT groups have merely used it to blend-in their espionage- related network traffic with otherwise-legitimate VPN traffic.
“The attractiveness of the Terracotta ecosystem to advanced threat actors may be strictly utilitarian: a very low-cost platform for attacks that serves to ultimately reduce the probability of detection,” they concluded.
At Black Hat USA 2015, RSA Research has released an in-depth report about the VPN service, which contains information and instructions on how to check whether an organization’s servers have been ensnared in the network of nodes used by the service, how to break them free of the thrall, and also how to prevent the compromise in the first place.