RSA Research has published an in-depth report on a commercial VPN network, originating in China, which it is calling “Terracotta”. It is being used as a launch platform for APT actors including the now well-known Shell_Crew / Deep Panda group.
Terracotta’s network of 1500+ VPN nodes throughout the world are primarily obtained by hacking into inadequately protected Windows servers in legitimate organizations, without the victim’s knowledge or permission. New nodes are continually added as new victims are enlisted, and they are unpublished outside of the Terracotta user-base.
What makes Terracotta notable from other similar VPN networks is that it originates in China, and (in addition to carrying legitimate and potentially illegitimate traffic) it is being used to anonymize and obfuscate APT activity from Threat Actor groups (including Shell_Crew / Deep Panda).
Often cybersecurity practitioners in large organizations (likely APT targets) will restrict or block known IP addresses of commercial VPN networks. The APT actors utilizing the Terracotta network have effectively overcome this line of defense, because Terracotta’s practices are fundamentally different from legitimate commercial VPN networks.
To a potential APT victim, traffic emanating from the Terracotta node could appear as legitimate traffic from a legitimate domestic organization, when in fact that organization is a Terracotta victim with an infected server.
It is important to note that there is no evidence that the Terracotta network and its operators are affiliated in anyway with the APT actors. Rather, Terracotta is a commercial VPN service, marketed in China under several different brands. Its primary commercial use-cases include Great-Firewall traversal and user anonymization. Similar services are widely marketed online in China at low monthly rates (Terracotta rates are approximately $3USD/month). Terracotta’s suspected illegal enlistment of its VPN nodes appears to be merely a cost-savings method. However, these methods potentially result in tangential benefits to APT actors.
It appears that Terracotta’s marketing is successful (to some extent). There appears to be legitimate users and legitimate traffic traversing the network. The co-mingling with legitimate traffic may also serve to help further obfuscate APT traffic.
You can take a look at the attached report here which outlines much of what RSA knows about Terracotta to date including network summaries, enlistment methods, malware analysis, some APT activity, prevention and detection guidance, and an appendix.