Operation Morpheus shuts down 593 Cobalt Strike servers used for ransomware

July 4, 2024

Global Operation Morpheus dismantles the Cobalt Strike network: Law enforcement agencies destroy the criminal infrastructure used for ransomware and data breaches.

In a large-scale international operation, law enforcement agencies and private companies have joined forces to dismantle a network of cybercriminals that relies on Cobalt Strike. Operation Morpheus, launched three years ago in September 2021 by Europol’s European Cybercrime Centre (EC3), targeted nearly 600 Internet Protocol (IP) addresses associated with malicious Cobalt Strike operations between June 24 and 28.

The UK’s National Crime Agency (NCA), the FBI, and law enforcement agencies from Canada, Germany, the Netherlands, Poland, and Australia have joined forces to dismantle the network. These include the Australian Federal Police, the Royal Canadian Mounted Police, the German Federal Criminal Police Office, the Dutch National Police (Politie), and the Polish Central Bureau for Cybercrime.

Private partners included BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch and The Shadowserver Foundation. These partners used Europol’s Malware Information Sharing Platform to submit evidence and threat intelligence. The operation shared over 730 threat intelligence pieces and nearly 1.2 million indicators of attack.

“These disruptive measures are the result of more than two and a half years of collaboration between the NCA and international law enforcement agencies and the private sector to identify, monitor and denounce their use,” the NCA statement said.

Operation Morpheus involved asking online service providers to disable unlicensed versions of Cobalt Strike that were associated with criminal activities and contained domain names used by criminal groups.

Authorities targeted 690 Cobalt Strike instances operated by 129 ISPs in 30 countries. The NCA coalition neutralized 593 malicious instances by taking down servers and notifying ISPs hosting the malware to ensure they take action.

While Cobalt Strike, a penetration testing tool developed by Raphael Mudge and owned by Fortra, is legitimate software, its illegal versions have become the preferred choice among cybercriminals due to their ability to effectively deploy ransomware, steal data, and maintain control over compromised systems.

Illicit versions of Cobalt Strike have been used in major cyberattacks, including those by Ryuk, Trickbot, and Conti. According to Trellix telemetry, China hosts 43.85% of Cobalt Strike resources, while the US has a 19.08% share and the highest attack load (45.04%).

Paul Foster, the NCA’s head of threats, argues that illegal versions have lowered the barriers to entry for cybercrime, as online criminals can launch malicious attacks with minimal technical expertise. Such attacks can cost businesses millions in losses and recovery efforts. This shutdown disrupts these criminal activities and hampers their ability to launch attacks and extort victims.

Jake Moore, Global Cybersecurity Advisor at ESET, commented on the latest development, praising the role of law enforcement and highlighting phishing-related attacks. “The NCA’s collaboration with international authorities proves that a collaborative approach can help dismantle or at least displace criminal networks, making it harder for illegal activities to thrive,” Jake said.

“This is another reminder of the importance of being vigilant against phishing attacks, as this software is designed to start with a spear phishing email. Criminals and ethical hackers often use similar or even the same tools to test security and exploit vulnerabilities,” he explained.