Europol blocks almost 600 IP addresses as part of the cybercrime campaign “Cobalt Strike”

As part of a concerted effort to combat cybercrime that abuses the Cobalt Strike security tool, Europol has dismantled nearly 600 IP addresses. The operation, dubbed Operation MORPHEUS, took place between June 24 and 28 and targeted older, unlicensed versions of the tool, which is often used in criminal activities.

“Throughout the week, law enforcement authorities flagged known IP addresses associated with criminal activity, as well as a number of domain names used by criminal groups, to enable online service providers to disable unlicensed versions of the tool. In total, 690 IP addresses were flagged for online service providers in 27 countries. By the end of the week, 593 of these addresses had been removed,” Europol said in a statement.

⚠️Law enforcement has partnered with the private sector to prevent criminals from abusing Cobalt Strike to carry out attacks.

An action led by @NCA_UK & coordinated from Europol headquarters, resulted in the shutdown of 593 IP addresses linked to criminal activities.

Details ⤵️https://t.co/yrqiri7G4m pic.twitter.com/jJzrgOPh9t

— Europol (@Europol) July 3, 2024

Operation MORPHEUS was primarily led by the UK’s National Crime Agency (NCA) and included key contributions from agencies in Australia, Canada, Germany, the Netherlands, Poland and the United States. Europol’s European Cybercrime Centre (EC3) also played a role in coordinating international efforts and liaising with private sector partners.

The NCA coordinates global action against illegal software that has been used by cybercriminals for over a decade to penetrate victims’ IT systems and carry out attacks.

FULL STORY ➡️ https://t.co/FrbB3glUOk pic.twitter.com/nV6cciRj9g

— National Crime Agency (@NCA_UK) July 3, 2024

Paul Foster, Threat Leadership Director at the NCA, said that while Cobalt Strike was legitimate software, cybercriminals were abusing it for “nefarious purposes.”

He added: “Illegal versions of it have helped lower the barrier to entry for cybercrime, making it easier for online criminals with little to no technical expertise to launch damaging ransomware and malware attacks. Such attacks can cost businesses millions in losses and recovery.

“I would urge any companies that may have been victims of cybercrime to come forward and report such incidents to law enforcement.”

What is a Cobalt Strike attack?

Cobalt Strike, developed by Fortra, is a legitimate and widely used cybersecurity tool designed to help IT security professionals conduct attack simulations to uncover vulnerabilities. However, in the hands of cybercriminals, it can be exploited for malicious purposes. Cracked copies of older versions such as Ryuk, Trickbot and Conti have reportedly been used in several high-profile malware and ransomware cases.

We are working with Europol, the UK National Crime Agency and several other private partners to protect the legitimate use of Cobalt Strike. https://t.co/8IQWr10YBY https://t.co/gALYztQmdI

— Fortra (@fortraofficial) July 3, 2024

To counter this threat, Fortra has been working with law enforcement to protect the legitimate use of its software. “Fortra has taken significant steps to prevent the misuse of its software and has worked with law enforcement throughout this investigation to protect the legitimate use of its tools,” Europol said.

The operation was successful thanks to the collaboration of private industry partners such as BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch and The Shadowserver Foundation. The partners provided scanning, telemetry and analysis tools to identify and contain the malicious use of Cobalt Strike.

Europol’s EC3 has been supporting this project since its launch in September 2021, providing analytical and forensic support. The Malware Information Sharing Platform has also been used extensively, with over 730 threat intelligence pieces shared, containing nearly 1.2 million indicators of compromise.

This coordinated action is part of a broader strategy enabled by the amended Europol Regulation, which strengthens Europol’s ability to support EU Member States by fostering cooperation with the private sector. This strategic approach has significantly increased the resilience of Europe’s digital ecosystem against cyber threats.

Featured image: Ideogram