Europol takes down 593 Cobalt Strike servers used by cybercriminals

Europol coordinated a joint law enforcement action known as Operation Morpheus, which led to the takedown of almost 600 Cobalt Strike servers used by cybercriminals to infiltrate victims' networks.

During a single week in late June, law enforcement identified known IP addresses associated with criminal activity and domain names that were part of attack infrastructure used by criminal groups.

In the next stage of the operation, online service providers were provided with the collected information to disable unlicensed versions of the tool.

"Older, unlicensed versions of the Cobalt Strike red teaming tool were targeted during a week of action coordinated from Europol's headquarters between 24 and 28 June," said Europol.

"A total of 690 IP addresses were flagged to online service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down."

Operation Morpheus involved law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland, and the United States and was led by the United Kingdom's National Crime Agency.

Private industry partners like BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch, and The Shadowserver Foundation also offered their support during this international law enforcement operation, providing help via their enhanced scanning, telemetry, and analytical capabilities to identify Cobalt Strike servers used in cybercriminal campaigns.

This disruptive action coordinated by Europol is the culmination of a complex investigation that started three years ago, in 2021.

"Over the span of the whole investigation, over 730 pieces of threat intelligence were shared containing almost 1.2 million indicators of compromise," Europol added.

"In addition, Europol's EC3 organised over 40 coordination meetings between the law enforcement agencies and the private partners. During the week of action, Europol set up a virtual command post to coordinate law enforcement action across the globe."

Used in ransomware attacks and cyberespionage campaigns

In April 2023, Microsoft, Fortra, and the Health Information Sharing and Analysis Center (Health-ISAC) also announced a broad legal crackdown on servers hosting cracked copies of Cobalt Strike, one of cybercriminals' primary hacking tools.

Cobalt Strike was released by Fortra (formerly Help Systems) over a decade ago as a legitimate commercial penetration testing tool for red teams to scan network infrastructure for security vulnerabilities. However, threat actors have obtained cracked copies of the software, making it one of the most widely used tools in data theft and ransomware attacks.

Attackers use Cobalt Strike during the post-exploitation attack stage to deploy beacons that provide persistent remote access to compromised networks and help steal sensitive data or drop additional malicious payloads.

Microsoft says that various state-backed threat actors and hacking groups are utilizing cracked versions of Cobalt Strike while operating on behalf of foreign governments, such as Russia, China, Vietnam, and Iran.

In November 2022, the Google Cloud Threat Intelligence team also open-sourced a collection of indicators of compromise (IOCs) and 165 YARA rules to help defenders detect Cobalt Strike components in their networks.