Hundreds of servers distributing a cracked, older version of Cobalt Strike to cybercriminals were taken offline by a group of law enforcement agencies led by Europol.
The EU law enforcement agency confirmed that Operation MORPHEUS took place between June 24 and 28 and its aim was to stop hackers from distributing the unlicensed version of the tool.
“The disruption does not end here,” Europol said in its announcement. “Law enforcement will continue to monitor and implement similar actions as long as criminals abuse older versions of the tool.”
Cobalt Strike is a commercial penetration testing (pentest) tool first released in 2012. It is designed to help security professionals simulate advanced persistent threats (APTs) in a network environment so they can test and improve their organization’s defenses against sophisticated cyberattacks. The tool offers features such as covert command and control, post-exploitation capabilities, and collaboration capabilities that quickly made it a popular choice for read team operations and adversary emulation.
However, this has also made it attractive to malicious actors. Hackers have hijacked the tool and used cracked versions or stolen licenses to conduct real-world cyberattacks. Today, Cobalt Strike is widely used by cybercriminals and state threat actors for malware distribution, espionage, and ransomware attacks. Originally intended for security assessments, the tool’s powerful capabilities have made it a valuable tool for attackers looking to exploit vulnerabilities in their targets’ systems and evade detection.
Operation Morpheus, Europol further explained, is the culmination of an investigation that began in 2021.
The law enforcement agency worked with its counterparts in Australia, Canada, Germany, the Netherlands, Poland, the UK, the US, Bulgaria, Estonia, Finland, Lithuania, Japan and South Korea to target a total of 690 IP addresses in 27 countries. At the end of the operation, 593 of the addresses were offline.
In addition to the police, numerous private companies also participated in Operation MORPHEUS, including BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch and The Shadowserver Foundation, which helped with improved scanning, telemetry and analysis capabilities.