The use of VPN services is continuously growing within the walls of China. Ever since the Chinese government set out to block citizens’ access to a wide array of specific online content with what is known as the “Great Firewall of China” many have set out to find a way around these restrictions, and VPNs have been a great way to do so.
Many have tunneled their connections to locations far from the borders of China and from gamers to film fanatics wishing to escape the net of censorship, virtual private networks are being marketed as a go-to solution to a free internet.
Chinese VPN used to attack non-Chinese corporations
On the other hand, however, according to security experts at RSA Research, these Chinese-language VPNs are also being used as “an active platform for launching attacks on non-Chinese corporations” all while keeping the origin of the attackers hidden. The Chinese-language VPNs used in these attacks have been dubbed by RSA as “Terracotta VPNs”.
It’s believed that the hackers behind some of the biggest data breaches in U.S. history (the breach of American healthcare insurers Anthem and Premera, as well as the recent attack on the U.S. Office of Personnel Management) are currently using Terracotta VPN to launch and hide their attacks.
According to RSA Research, there are more than 1,500 nodes worldwide that constitute the Terracotta VPN. Additionally, RSA has discovered that many Terracotta exit nodes were “compromised Windows servers that were ‘harvested’ without the victim’ knowledge or permission”. The reason that the hackers are targeting these vulnerable Windows servers is because the platform allows for near instantaneous VPN configuration. As it stands, the hackers have used this system to leverage over 50 VPN nodes to exploit Western government and commercial targets.
RSA has stated that it recently received a report “from a large defense contractor” regarding 27 different Terracotta VPN IP addresses that were used to send phishing emails targeting users in their organization. It doesn’t just stop there, though – evidence of Terracotta VPN activity has been present in a number of other cyber espionage campaigns over the last several years.
For example, RSA wrote that “out of 13 different IP addresses used during this campaign against this one target, 11 were associated with Terracotta VPN nodes.”
According to established cybersecurity blogger, Brian Krebs, the reason that the Terracotta network is a popular choice for cybercrime is that the espionage-related network traffic “can blend-in” with all of the other, legitimate VPN traffic.
Brian Krebs finds hacked US Servers
Krebs has also done some digging on his own and decided to explore the Terracotta network in more depth than the RSA report allowed. After some digging, Krebs was able to find several Terracotta VPN providers and shortly figured out that many of them were linked by a common domain name registrant email address. From there, he had the option of choosing a service from the many available Terracotta VPN providers. After settling on one of the options, Krebs decided to do some investigative work.
Echoing the RSA report, Krebs was able to locate dozens of U.S. based nodes with minimal effort. And after a little more looking around, he was able to locate a VPN node (tied to a Windows server) for the website of a Michigan-based chair manufacturer. Not stopping there, Krebs decided to reach out to the company, receiving confirmation that their servers were in fact breached.
Obviously this isn’t the first time in cybercrime history that malicious hackers were able to compromise overseas systems. In fact this phenomenon is quite common – particularly concerning espionage attacks. Additionally, not every hacker uses a vulnerable overseas server to carry out an attack, but many sell access to these hacked PCs online, allowing others to take advantage of their newfound anonymity.