Security Experts:

Connect with us

Hi, what are you looking for?



Chinese VPN Used by APT Actors Relies on Hacked Servers

Researchers at RSA have conducted an in-depth analysis of a Chinese virtual private network (VPN) service that has been used by advanced persistent threat (APT) groups to anonymize and obscure their activities.

Researchers at RSA have conducted an in-depth analysis of a Chinese virtual private network (VPN) service that has been used by advanced persistent threat (APT) groups to anonymize and obscure their activities.

Dubbed “Terracotta” by RSA, the commercial VPN service is marketed in China under various brands. The network is often used for anonymity, peer-to-peer (P2P) file sharing and gaming acceleration, and to bypass China’s Great Firewall’s censorship system.

One of the things that caught the attention of researchers is that Terracotta is a malware-supported VPN network. Many of the service’s more than 1,500 VPN nodes are on compromised servers belonging to various organizations from all over the world.

According to researchers, at least 31 of the host systems are hacked Windows servers belonging to a major hotel chain, U.S. government organizations, universities, tech services providers (including government contractors), and various private firms.

RSA believes the operators of Terracotta are targeting Windows servers because they include VPN services that can be easily configured. In all cases, the hijacked servers were Internet-exposed devices that were not protected by hardware firewalls.

The Terracotta node enlistment process starts with a brute-force attack on the administrator account via the DCOM Windows Management Interface (WMI) on TCP port 135. Then, the attackers disable the firewall and enable the Telnet service. Once this is done, they log in to the compromised system via the Remote Desktop Protocol (RDP), disable antiviruses, and install a custom variant of the Gh0st Remote Administration Tool (RAT). Finally, the VPN service operators create a new Windows account and they install Windows VPN services on the hijacked server.

In addition to Gh0st RAT, experts have spotted other pieces of malware on compromised servers, including the Mitozhan Trojan and the Liudoor Backdoor.

While Terracotta nodes have been identified all over the world, the majority are located in China (1,095), the United States (572), and South Korea (204).

By hacking into legitimate servers and using them as nodes, the operators of the VPN service can save a lot of money that they might normally have to pay for bandwidth, experts noted.

Many Terracotta customers are likely regular users who are not aware that the service is partly powered by hacked servers. However, researchers determined that the VPN service has also been used by APT actors, including the Chinese group known as Shell Crew (Deep Panda).

In one of the attacks observed by the security firm, the attackers leveraged the VPN service in a phishing operation aimed at a defense contractor.

“RSA Research can confirm that suspected nation-state actors have leveraged at least 52 Terracotta VPN nodes for exploitation of sensitive targets among Western government and commercial organizations. Perhaps one of the benefits of using Terracotta for Advanced Threat Actors is that their espionage- related network traffic can blend-in with ‘otherwise-legitimate’ VPN traffic,” RSA said in its report on Terracotta.

The company has pointed out that while it has been leveraged by APT actors, there is no evidence to suggest that Terracotta is actually tied to such groups.

RSA’s report, “Terracotta VPN: Enabler of Advanced Threat Anonymity,” contains recommendations and indicators of compromise (IoC) to help organizations detect the threat.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.