China Cyber Criminals Accused of Exploiting Commercial VPN

Chinese cybercriminals have been hijacking a commercial VPN to carry out Advanced Persistent Threat (APT) attacks, according to a new report this week from security firm RSA.

RSA Research claims that a Chinese VPN provider has been infiltrated by APT actors who are using its infrastructure to carry out its operations and cover its tracks.

The VPN provider has not been named but the researchers have given it the codename “Terracotta” and it allegedly has access to over 1,500 Windows nodes in China, South Korea, and the US.


Photo: Alice Day / Shutterstock

RSA Research revealed the research this week at the Black Hat security conference in Las Vegas.

It isn’t clear if the commercial VPN service in question is fully aware of how its service is being used but it may not be an innocent victim.

SC Magazine reports:

Terracotta isn’t all innocent; most of its infrastructure appears to have been obtained through hacking

The cybercriminals have allegedly carried out attacks on targets in the US, Canada, UK, Brazil, and Vietnam.

Brain Krebs reports that the commercial VPN service in question is likely used by Chinese gamers and other Internet users trying evade censorship but the platform has been used for nefarious means too.

But RSA researchers said they discovered that many of Terracotta’s exit nodes were compromised Windows servers that were “harvested” without the victims’ knowledge or permission, including systems at a Fortune 500 hotel chain; a hi-tech manufacturer; a law firm; a doctor’s office; and a county government of a U.S. state.

RSA said it can “confirm that suspected nation-state actors have leveraged at least 52 Terracotta VPN nodes” in cyberattacks against western governments and companies.

“Perhaps one of the benefits of using Terracotta for Advanced Threat Actors is that their espionage-related network traffic can blend-in with ‘otherwise-legitimate’ VPN traffic,” they write.

The researchers have also found evidence of the VPN used in other attacks or operations including phishing attacks against a defense contractor (nation not specified).

“This discovery only reinforces the importance of selecting a VPN provider that owns their own network infrastructure and hardware,” said VyprVPN.