Operation Morpheus: Europol conducts global raid and dismantles 593 criminal Cobalt Strike servers

Europol announced on Wednesday a coordinated global operation called Operation Morpheus against the criminal abuse of Cobalt Strike. The agency reported the dismantling of 593 Cobalt Strike servers that were being used for criminal purposes. The operation saw law enforcement and the private sector working together to combat the abuse of this legitimate red teaming tool that criminals were using to penetrate victims’ IT systems.

“Older, unlicensed versions of the Cobalt Strike red teaming tool were targeted during a week of action coordinated by Europol HQ from 24 to 28 June,” Europol said in a statement. “Throughout the week, law enforcement agencies flagged known IP addresses associated with criminal activity, as well as a number of domain names used by criminal groups, to enable online service providers to disable unlicensed versions of the tool. In total, 690 IP addresses were flagged for online service providers in 27 countries. By the end of the week, 593 of these addresses had been removed.”

Europol added: “The disruptions do not end here. Law enforcement will continue to monitor and carry out similar actions as long as criminals abuse older versions of the tool.”

The agency stressed that cooperation with the private sector was crucial to the success of this disruptive operation. “A number of private sector partners supported the operation, including BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch and the Shadowserver Foundation. These partners deployed enhanced scanning, telemetry and analysis capabilities to identify malicious activities and their use by cybercriminals,” it continued.

“This novel approach is possible thanks to Europol’s amended regulation, which has strengthened the agency’s ability to better support EU Member States, including through cooperation with the private sector,” Europol said. “Through this novel approach, Europol can access real-time threat intelligence and gain a broader perspective on cybercriminals’ tactics. This partnership enables a more coordinated and comprehensive response and ultimately improves the overall resilience of the digital ecosystem across Europe.”

This investigation, known as Operation Morpheus, was led by the UK’s National Crime Agency and involved the involvement of law enforcement agencies in Australia, Canada, Germany, the Netherlands, Poland and the United States. Europol coordinated the international effort and facilitated communications with private partners. This operation represents the culmination of a complex investigation that began in 2021 and resulted in a significant disruption of criminal activity.

Europol’s European Cybercrime Centre (EC3) has been supporting this case since September 2021, providing analytical and forensic support and facilitating information sharing between partners.

Europol explained that law enforcement used a platform called the Malware Information Sharing Platform to enable the private sector to share threat intelligence with law enforcement in real time. During the investigation, over 730 threat intelligence pieces were exchanged, containing nearly 1.2 million indications of compromise.

In addition, Europol’s EC3 organised over 40 coordination meetings between law enforcement authorities and private partners. During the action week, Europol set up a virtual command post to coordinate law enforcement activities worldwide.

The following authorities were also involved in the investigation: the Australian Federal Police (AFP), the Royal Canadian Mounted Police (RCMP), the German Federal Criminal Police Office, the Dutch National Police (Politie), the Polish Central Bureau of Cybercrime (Centralne Biuro Zwalczania Cyberprzestępczości), the British National Crime Agency (NCA), and the US Department of Justice and the Federal Bureau of Investigation (FBI).

Authorities from Bulgaria, Estonia, Finland, Lithuania, Japan and South Korea also participated in the disruption efforts of Operation Morpheus.

Cobalt Strike is a commercial tool from cybersecurity software company Fortra. It is designed to help legitimate IT security professionals run attack simulations that identify vulnerabilities in security operations and incident response. However, in the wrong hands, unlicensed copies of Cobalt Strike can provide a malicious actor with various attack opportunities.

The agency mentioned that Fortra has taken significant steps to prevent misuse of its software and has cooperated with law enforcement during this investigation to protect legitimate uses of its tools. “However, in rare cases, criminals have stolen older versions of Cobalt Strike and created cracked copies to gain access to machines via backdoors and install malware. Such unlicensed versions of the tool have been linked to several malware and ransomware investigations, including those on RYUK, Trickbot, and Conti,” it added.

Last February, seven Russian cybercriminals were sanctioned by the UK and US authorities as part of the first wave of new coordinated action against international cybercrime. These hackers are part of the Russia-based cybercrime group Trickbot and are linked to developing or deploying a number of ransomware variants that targeted critical infrastructure such as hospitals and medical facilities in both the US and UK during a global pandemic.

Europol, together with several international law enforcement agencies, coordinated a large-scale operation against the Ragnar Locker ransomware group in October last year, which led to the arrest of its main developer in Paris and actions in countries such as the Czech Republic, Spain and Latvia. In addition, the group’s infrastructure was destroyed in the Netherlands, Germany and Sweden and its Tor data leak site was shut down after a comprehensive investigation in several countries.

Anna Ribeiro

Editor for Industrial Cyber ​​News. Anna Ribeiro is a freelance journalist with over 14 years of experience in security, data storage, virtualization and IoT.