The week-long purge, codenamed “Operation MORPHEUS,” targeted unlicensed versions of a legitimate security tool called Cobalt Strike.
Cobalt Strike is a penetration testing tool used by ethical hackers to simulate cyberattacks and identify vulnerabilities in computer systems, but it has become a weapon of choice for cybercriminals because of its ability to provide persistent remote access to compromised systems.
Cybercriminals use unlicensed, cracked versions of Cobalt Strike in spear phishing or spam emails designed to trick victims into clicking links or opening malicious attachments.
Once a victim opens the link or document, a Cobalt Strike “beacon” is installed, granting the attacker remote access to build a profile of the infected host, download malware or ransomware, and steal data for extortion purposes.
“Since the mid-2010s, pirated and unlicensed versions of the software downloaded by criminals from illicit marketplaces and the dark web have gained a reputation as the preferred network intrusion tool for those planning a cyberattack, as they enable them to deploy ransomware quickly and on a large scale,” the NCA said.
Fortra, the developer of Cobalt Strike, has taken steps to prevent misuse of its software and worked with law enforcement throughout Operation Morpheus to protect legitimate uses of its tools.
Operation Morpheus was launched in 2021. Over the three-year period, law enforcement shared over 730 threat intelligence alerts containing nearly 1.2 million indicators of compromise (IOCs).
“Over the course of the week, law enforcement authorities have flagged known IP addresses associated with criminal activity, as well as a number of domain names used by criminal groups, to enable online service providers to disable unlicensed versions of the tool,” Europol said.
“A total of 690 IP addresses were reported to online service providers in 27 countries. By the end of the week, 593 of these addresses had been removed.”
Europol’s European Cybercrime Centre (EC3) played a key role in the operation, facilitating communication and information sharing between law enforcement agencies in Australia, Canada, Germany, Poland, the United Kingdom, the Netherlands and the United States.
EC3 organized over 40 coordination meetings and set up a virtual command center during the takedown period to ensure a global, synchronized approach.
The success of Operation Morpheus was based on collaboration with the private sector. Companies such as BAE Systems Digital Intelligence, Spamhaus, Trellix, abuse.ch and The Shadowserver Foundation provided invaluable assistance. Their expertise in threat detection and analysis helped identify malicious activity related to Cobalt Strike.
Paul Foster, director of threat leadership at the NCA, said illegal versions of Cobalt Strike had “helped lower the barriers to entry for cybercrime, making it easier for online criminals to launch malicious ransomware and malware attacks with little or no technical expertise.”
“Such attacks can cost companies millions in losses and recovery points.”
This shutdown is not the first attempt to curb abuse of Cobalt Strike.
In April 2023, Microsoft, Fortra and the US Health Information Sharing and Analysis Center (Health-ISAC) launched a legal offensive against servers hosting cracked copies of the software.
In November 2022, Google open sourced a collection of IOCs and 165 YARA rules to help defenders detect Cobalt Strike components in their networks.
