Almost 600 IP addresses were recently taken offline in an international police operation involving national police forces from several European countries and Europol. The addresses were used to distribute illegal versions of the Cobalt Strike penetration tool.
During the so-called Operation Morpheus, led by the UK’s National Crime Agency, international police forces identified 690 IP addresses of Internet service providers in 27 countries that were distributing potentially illegal versions of the Cobalt Strike penetration tool. Following the police operation, 593 of these IP addresses were actually taken offline.
In addition to the British National Crime Agency, police organizations from the USA, Canada, Australia, Germany, Poland and the Netherlands were also involved. The investigation was supported by other authorities from Bulgaria, Estonia, Lithuania, Finland, Japan and South Korea. Europol coordinated the international operation as a whole.
Cooperation with private individuals
In addition, the investigating authorities worked with private companies such as BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch and The Shadowserver Foundation. These private parties were given access to a malware intelligence sharing platform managed by Europol to share threat intelligence in real time with the various police agencies. During the investigation, the authorities used this platform to share 730 threat intelligence pieces that pointed to nearly 1.2 million malicious indicators.
Europol said in a statement that further measures will follow this operation. The international police organization will continue to monitor the illegal distribution of Cobalt Strike and take further action if necessary.
Cobalt Strike is a legitimate penetration tool from Fortra. Among other things, it allows infected systems to execute remote commands originating from a remote server that can be controlled by third parties.
A license for the penetration tool is not cheap: $5,900. All buyers are verified before being granted access. Nevertheless, many old, leaked and cracked versions of the tool are in circulation, and hackers abuse them on a large scale.
The tool is very popular in ransomware attacks, for example, and is appearing more and more frequently. Hackers also use the tool to gain permanent access to affected infrastructures, for example to “harvest” sensitive data.
also read: Hard action against illegal Cobalt Strike suppliers
