In a coordinated takedown, law enforcement and cybersecurity firms joined forces to cripple cybercriminals‘ misuse of a legitimate security tool – Cobalt Strike. The week-long operation, codenamed MORPHEUS and spearheaded by UK’s National Crime Agency, targeted unlicensed versions of Cobalt Strike used to infiltrate victim networks.
Europol, which helped coordinate the operation involving authorities from six other countries, said a total of 690 IP addresses linked to criminal activity were flagged. By the end of the week, over 85% (593) of these addresses associated with unlicensed Cobalt Strike instances were disabled by internet service providers (ISPs) in 27 countries.
Cobalt Strike: Double-Edged Sword
Cobalt Strike, a commercially available tool by Fortra, is used by ethical hackers for penetration testing – simulating cyberattacks to identify vulnerabilities in a network’s defenses. However, in the hands of malicious actors, unlicensed versions of Cobalt Strike transform into a powerful weapon.
“Since the mid 2010’s, pirated and unlicensed versions of the software downloaded by criminals from illegal marketplaces and the dark web have gained a reputation as the ‘go-to’ network intrusion tool for those seeking to build a cyberattack, allowing them to deploy ransomware at speed and at scale.” – UK’s NCA
Cybercriminals typically deploy Cobalt Strike through spear phishing emails, tricking victims into clicking malicious links or opening infected attachments. Once a victim clicks, a “Beacon” is installed, granting the attacker remote access to the compromised system. This access allows them to steal data, through infostealers, or launch further attacks.
Criminals also exploit these cracked copies to establish backdoors on compromised systems, and deploy malware. Notably, investigations into ransomware strains like Ryuk, Trickbot, and Conti have linked them to the use of unlicensed Cobalt Strike, Europol said.
Paul Foster, director of threat leadership at the National Crime Agency, said, “Although Cobalt Strike is a legitimate piece of software, sadly cybercriminals have exploited its use for nefarious purposes. Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise.
Many cybercriminals rely heavily on Cobalt Strike for its advanced features, including payload delivery, evasion techniques, and ease of use, said private industry partner Trellix, who was part of the investigation. “The takedown of this infrastructure disrupts their operations, forcing them to reconsider their reliance on Cobalt Strike. This increased risk and operational difficulty can slow down their activities, reduce the efficiency of their attacks, and increase their overall operational risks,” Trellix said.
According to Trellix’s telemetry on the global distribution of Cobalt Strike infrastructure, China (43.85%) and the United States (19.08%) host the majority of these servers, whereas, the latter followed by India is the most targeted nation when it comes to cobalt strike attacks.
Foster warned that such attacks could cost companies millions in terms of losses and recovery.
Public-Private Partnership: A Winning Formula
The success of Operation MORPHEUS hinges on the unprecedented cooperation between law enforcement and the private sector. Key industry partners like BAE Systems Digital Intelligence, Trellix, Spamhaus, and The Shadowserver Foundation provided crucial support. Their expertise in threat intelligence, network scanning, and data analysis proved instrumental in identifying malicious activities and pinpointing cybercriminal infrastructure.
This collaboration is a direct consequence of Europol’s recent regulatory amendments, empowering the agency to work more effectively with private entities. This novel approach grants Europol access to real-time threat intelligence and a broader understanding of cybercriminal tactics. This translates to a more coordinated and comprehensive response, ultimately strengthening the overall cybersecurity posture across Europe.
Europol’s European Cybercrime Centre (EC3) played a pivotal role throughout the investigation, offering analytical and forensic support while facilitating seamless information exchange between all partners, while the FBI, Australian Federal Police, and other national agencies provided critical support.
Over the past two and a half years, law enforcement utilized the Malware Information Sharing Platform (MISP) to facilitate real-time threat intelligence sharing with the private sector. Nearly 730 intelligence reports containing almost 1.2 million indicators of compromise (IOCs) were exchanged during the investigation. Additionally, EC3 organized over 40 coordination meetings to ensure smooth collaboration between law enforcement and private partners. Europol even established a virtual command post during the takedown week to coordinate global law enforcement activities.
The Fight Continues
While Operation MORPHEUS represents a significant victory, the war against cybercrime is far from over. Law enforcement agencies remain vigilant, prepared to conduct similar disruptive actions as long as criminals continue to exploit vulnerabilities in legitimate security tools.
Fortra, the developer of Cobalt Strike, has also released a new version with enhanced security measures and is committed to working with law enforcement to remove older, vulnerable versions from circulation.
*Update July 4, at 3:15 AM: Added details from Trellix.
