Chinese VPN-provider increases the network of its servers by hacking others

Coverage of Terracota VPN servers

An unusual business scheme was chosen by the Chinese VPN service provider, advertising them under several different brands in China. The provider was able to provide a very low price for the services of providing encrypted Internet access, $ 3 per month, using other people's computers in his network that were hacked and quietly operated under its control.

Researchers from RSA Security came across this system, studying a recent massive leaks of information about US civil servants who accused Chinese hackers. The RSA called this VPN-network Terracota VPN, hinting at the " Terracotta Army ", which, in their opinion, are the users of this network. In China, VPN services are very popular due to the government’s extensive approach to Internet censorship .
')

Network operation diagram

According to RSA , Terracota VPN to expand the pool of its servers constantly finds vulnerable computers running Windows and hacks them, turns on the VPN service and attaches them to its network. Among the servers controlled by the researchers, servers were discovered belonging to libraries, universities, hotels and various US government agencies.

Apparently, computers running Windows are chosen both because of their susceptibility to hacking, and because setting up such a computer as a VPN node is much simpler than that of computers running other operating systems. Using the “brute force” method, hackers pick up the administrator password, and then disable computer protection to turn it into a working VPN node. To do this, a separate user account is created on the computer and the Gh0st RAT computer remote control system is installed.

In addition, the researchers found other vicious practices used by the provider - for example, assigning several dozens of ip-addresses to one physical device to give the impression of a much larger network than it actually is.


Scheme hacking server

The RSA report states that Terracota VPN was able to connect with the hacker group Deep Panda , which is suspected of organizing a massive leak of personal information. There is no evidence of direct company cooperation with hackers - it is possible that hackers simply used the services of this network, in which it is easy to cover their tracks due to the system of its organization.

RSA Security was established in 1982 as an independent company and was acquired in 2006 by EMC Corporation, one of the world's largest corporations in the market for products, services and solutions for storing and managing information. EMC is headquartered in Hopkinton, Massachusetts (USA).