Threat Management

VPN gone bad: APT actors enlist Chinese ‘Terracotta’ provider to hide criminal activity

Plenty of VPN providers exist, and plenty do a fine job providing their service to millions of people and companies. But there's at least one China-based service now being used to facilitate Advanced Persistent Threat (APT) attacks.

“Terracotta,” as RSA Research staffers call the provider, is a commercial VPN network that APT actors have chosen to integrate into their infrastructure. It helps them hide their criminal activities and, really, cover their digital tracks. RSA doesn't know whether Terracotta directly markets to the state-sponsored attackers, or if they found it through their own search, but one thing is certain: they're definitely using it.

Terracotta isn't all innocent; most of its infrastructure appears to have been obtained through hacking. The company continuously adds new IP addresses with fresh nodes inside legitimate organizations, which Peter Beardmore, senior consultant for threat intelligence marketing at RSA, told provides a “great opportunity” for APT actors to “optimize and obfuscate their traffic.”

Blocking these IP address indicators becomes difficult with so many new ones being added on a continual basis. Plus, these threat actors' traffic appears to come from “benign” sources, the report states.

Terracotta operates under various names and operates more than 1,500 nodes globally. RSA linked the company through common domain name registrant email addresses and by knowing that they are hosted on the same infrastructure with the same web content. At least 30 of these host systems are compromised Windows servers that were gathered without victims' knowledge or permission.

In reality, Terracotta's service appeals to hackers because it makes their jobs easier, Kent Backman, threat intelligence analyst for RSA FirstWatch, said in an interview with They don't have to spend time “hacking and developing their own infrastructure,” he noted.

These APT groups have a particular interest in Western governments, as well as commercial entities.

Both Backman and Beardmore said there are two sides to prevention and detection of Terracotta. For those victims who have, or might be, compromised and used as nodes in the VPN provider's operation, they should make sure “simple security controls” are in place. This includes using a firewall, opting for strong passwords and changing the “Administrator” account name on all Windows systems.

For targets of APT attacks, know that no IP address can be trusted, Beardmore said. Seemingly legitimate traffic can always be a well-executed APT disguise.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.