Petronella Blog Archive

Visit our New Blog

Hackers Hiding on China's Terracotta VPN

Blog Post

A Virtual Private Network (VPN) dubbed the Terracotta VPN that is used by some Chinese internet users to bypass the Great Firewall of China appears to also be in used by hackers behind some of the larger hacks originating from China recently, including the attack on the US Office of Personnel Management.

The Terracotta VPN is a collection of VPN services marketed to Chinese internet users, from bloggers to gamers, who want to bypass the Chinese government's internet blocks, called the Great Firewall of China.  A VPN allows users to go through different channels and slip around the Great Firewall.

Security firms have tied a group of Chinese hackers known as Deep Panda or Shell_Crew to some recent large data breaches.  In addition to the aforementioned OPM breach, they've also been linked to hacks involving health insurance companies.  Now it appears they've been using the Terracotta VPN to take over vulnerable servers around the world.  Many of the nodes that are being used for malicious purposes are Windows servers, used without the owner's knowledge.  The victims range from law firms to a manufacturer of high-tech ware to a county government.

RSA Research, a security company who has been investigating this matter, said they've discovered at least 52 Terracotta VPN nodes that were used against businesses and governments.  In one case, 85% of the compromised nodes that took part in the attack were from the Terracotta VPN, which they suspect helps the hacking activity blend in with normal web traffic.

Not only are the hackers breaching computers to steal data and spread malware, they're also using the system to sell access to computers that have been hacked through the VPN with a relatively easy-to-use setup.  That means other hackers can pay to use your own compromised computer for their own nefarious deeds.