Europol shuts down 593 Cobalt Strike servers used by cybercriminals

Europol coordinated a joint law enforcement operation called Operation Morpheus, which resulted in the shutdown of nearly 600 Cobalt Strike servers used by cybercriminals to penetrate victims’ networks.

During a single week in late June, law enforcement identified known IP addresses associated with criminal activity, as well as domain names that were part of the attack infrastructure used by criminal groups.

The next step in the operation was to make the collected information available to online service providers so that they could disable unlicensed versions of the tool.

“Older, unlicensed versions of the Cobalt Strike red teaming tool were targeted during a week of action coordinated by Europol headquarters from 24 to 28 June,” Europol said.

“A total of 690 IP addresses were reported to online service providers in 27 countries. By the end of the week, 593 of these addresses had been removed.”

Operation Morpheus involved law enforcement agencies from Australia, Canada, Germany, the Netherlands, Poland and the United States and was led by the UK’s National Crime Agency.

Private industry partners such as BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch and The Shadowserver Foundation also offered their support during this international law enforcement operation, using their advanced scanning, telemetry and analysis capabilities to help identify the Cobalt Strike servers used in cybercriminal campaigns.

This disruptive action, coordinated by Europol, is the culmination of a complex investigation that began three years ago, in 2021.

“Throughout the investigation, over 730 threat intelligence reports were shared, containing nearly 1.2 million indications of compromise,” Europol added.

“In addition, Europol’s EC3 organised over 40 coordination meetings between law enforcement authorities and private partners. During the action week, Europol set up a virtual command post to coordinate law enforcement activities around the world.”

Used in ransomware attacks and cyber espionage campaigns

In April 2023, Microsoft, Fortra and the Health Information Sharing and Analysis Center (Health-ISAC) also announced a comprehensive legal action against servers hosting cracked copies of Cobalt Strike, one of cybercriminals’ primary hacking tools.

Cobalt Strike was released over a decade ago by Fortra (formerly Help Systems) as a legitimate commercial penetration testing tool for red teams to scan network infrastructures for security vulnerabilities. However, threat actors have obtained cracked copies of the software, making it one of the most commonly used tools for data theft and ransomware attacks.

Attackers use Cobalt Strike in the post-exploitation attack phase to deploy beacons that provide persistent remote access to compromised networks and help steal sensitive data or place additional malicious payloads.

According to Microsoft, various state-sponsored threat actors and hacker groups are using cracked versions of Cobalt Strike while acting on behalf of foreign governments such as Russia, China, Vietnam and Iran.

In November 2022, the Google Cloud Threat Intelligence team also open sourced a collection of indicators of compromise (IOCs) and 165 YARA rules to help defenders detect Cobalt Strike components in their networks.