Hackers are using a commercially available VPN network in China to obscure the origin source of their activities.
A VPN network that is commercially available in China is being used by hackers to mask their attacks on organisations around the world, according to a major new report from the RSA.
The study, titled Terracotta VPN: Enabler of Advanced Threat Anonymity, noted how the VPN service is been used by numerous advanced persistent threat (APT) actors – including Shell_Crew and Deep Panda – to tap into servers to extract nodes.
RSA claims that the “malware-supported” VPN network, which it has dubbed Terracotta, has so far acquired up to 1,500 nodes, primarily from Windows servers.
This is achieved surreptitiously, with compromised organisations unaware that their systems have been penetrated by hackers who are able to conceal their activity via the VPN network.
“What makes Terracotta notable from other similar VPN networks is that it originates in China, and (in addition to carrying legitimate and potentially illegitimate traffic) it is being used to anonymize and obfuscate APT activity from threat actor groups,” explained Peter Beardmore, a senior consultant at RSA.
“Often cybersecurity practitioners in large organizations (likely APT targets) will restrict or block known IP addresses of commercial VPN networks.
“The APT actors utilizing the Terracotta network have effectively overcome this line of defense, because Terracotta’s practices are fundamentally different from legitimate commercial VPN networks.”
In its comprehensive paper, the findings of which were presented at the Black Hat conference in Las Vegas this week, the RSA described how some of the targets include Western governments and commercial enterprises.
It added that Terracotta is so appealing to hackers because it allows them to effectively mask illegitimate activity – the hackers appear to come from authentic sources.
Moreover, any attempt to block, restrict or detect IP addresses is hampered by the fact that new nodes – which are hosted in a genuine organisation’s server – are continuously being added.
RSA says that this is the first time it has observed malicious activity of this kind on a VPN network.