Europol and law enforcement authorities prevent illegal use of Cobalt Strike

Law enforcement authorities have taken action against the use of the Cobalt Strike tool because it was used to penetrate victims’ IT systems.

Europol has flagged a number of IP addresses linked to criminal activity, as well as a number of domain names used by criminal groups, to allow online service providers to disable unlicensed versions of the tool, according to a statement.

This resulted in 690 IP addresses being reported to online service providers in 27 countries and 593 of these addresses being removed.

According to the UK’s National Crime Agency, unlicensed versions of Cobalt Strike have been used over the past decade and illegal versions of Cobalt Strike have been found to be in use in some of the largest cyber incidents in recent times.

Its use has also been identified in several malware and ransomware investigations, including the RYUK, Trickbot and Conti attacks.

The attack

According to the NCA, cybercriminals in the attack use unlicensed versions of Cobalt Strike via spear phishing or spam emails designed to trick the victim into clicking on links or opening malicious attachments.

When a victim opens the link or document, a Cobalt Strike “beacon” is installed to grant the threat actor remote access to profile the infected host, download malware or ransomware, and steal data to then extort the victim.

Paul Foster, Director of Threat Leadership at the NCA, said: “Although Cobalt Strike is legitimate software, unfortunately cybercriminals have abused it for nefarious purposes.

“Illegal versions of it have helped lower the barrier to entry for cybercrime, making it easier for online criminals to launch malicious ransomware and malware attacks with little or no technical expertise.”

Years of takedowns

In a conclusion to Operation MORPHEUS – an NCA-led investigation involving law enforcement agencies from Australia, Canada, Germany, the Netherlands, Poland and the United States – Europol said its European Cybercrime Centre (EC3) has been supporting this case since September 2021, providing analytical and forensic support and facilitating information sharing among all partners, while law enforcement agencies used the Malware Information Sharing Platform to enable real-time sharing of threat intelligence.

Throughout the investigation, over 730 threat intelligence reports were shared, containing nearly 1.2 million indications of compromise.

Foster went on to say that international disruptions like this are the most effective way to stop the most damaging cybercriminals by depriving them of the tools and services on which their operations are based.

“I would urge any companies that may have been victims of cybercrime to come forward and report such incidents to law enforcement,” he said.

Behind the strike

Cobalt Strike is provided by cybersecurity software company Fortra and is designed to help legitimate IT security professionals conduct attack simulations to identify vulnerabilities in security operations and incident response.

Fortra said the company has taken significant steps to prevent misuse of its software and has cooperated with law enforcement throughout the investigation to protect legitimate uses of its tools.

Written by

Daniel Raywood
Editor-in-Chief
SC Media UK

Dan Raywood is a seasoned B2B journalist with over 20 years’ experience, specialising in cybersecurity for the past 15. He has covered topics extensively from advanced persistent threats and government hackers to major data breaches and regulatory changes. In his spare time, Dan enjoys supporting Tottenham Hotspur, looking after mischievous cats and sampling craft beers.