Nearly 600 IP addresses have been dismantled by Europol as part of a concerted effort to tackle cybercrime involving the misuse of the Cobalt Strike security tool. The operation, dubbed Operation MORPHEUS, took place between June 24 and June 28, targeting older, unlicensed versions of the tool commonly used in criminal activities.
“Throughout the week, law enforcement flagged known IP addresses associated with criminal activity, along with a range of domain names used by criminal groups, for online service providers to disable unlicensed versions of the tool. A total of 690 IP addresses were flagged to online service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down,” Europol said in a statement.
⚠️Law enforcement teamed up with the private sector to stop criminals abusing Cobalt Strike to carry out attacks.
An action led by @NCA_UK & coordinated from Europol HQ resulted in the takedown of 593 IP addresses linked to criminal activity.
Details ⤵️ pic.twitter.com/jJzrgOPh9t
— Europol (@Europol) July 3, 2024
Operation MORPHEUS was mainly led by the UK’s National Crime Agency (NCA) and involved major contributions from authorities across Australia, Canada, Germany, the Netherlands, Poland, and the United States. Europol’s European Cybercrime Centre (EC3) also played a role in coordinating international efforts and liaising with private sector partners.
The NCA has coordinated global action against illicit software which has been used by cybercriminals for over a decade to infiltrate victims’ IT systems and conduct attacks.
FULL STORY ➡️ pic.twitter.com/nV6cciRj9g
— National Crime Agency (NCA) (@NCA_UK) July 3, 2024
Paul Foster, the NCA’s threat leadership director, said that although Cobalt Strike is a legitimate piece of software, cybercriminals have been exploiting its use for “nefarious purposes”.
He added: “Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise. Such attacks can cost companies millions in terms of losses and recovery.
“I would urge any businesses that may have been a victim of cyber crime to come forward and report such incidents to law enforcement.”
What is a Cobalt Strike attack?
Cobalt Strike, developed by Fortra, is a legitimate and widely used cybersecurity tool designed to help IT security professionals in performing attack simulations to uncover vulnerabilities. However, it can be exploited maliciously when in the hands of cybercriminals. Reports suggest that cracked copies of older versions like Ryuk, Trickbot, and Conti have been used in several high-profile malware and ransomware cases.
We’ve partnered with Europol, the UK National Crime Agency, and several other private partners to protect the legitimate use of Cobalt Strike.
— Fortra (@fortraofficial) July 3, 2024
To counteract this threat, Fortra has collaborated with law enforcement to safeguard the legitimate usage of its software. “Fortra has taken significant steps to prevent the abuse of its software and has partnered with law enforcement throughout this investigation to protect the legitimate use of its tools,” Europol stated.
The operation was said to be successful due to the cooperation of private industry partners such as BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch, and The Shadowserver Foundation. The partners provided scanning, telemetry, and analytical tools to identify and curb the malicious use of Cobalt Strike.
Europol’s EC3 has supported this project since it was launched in September 2021, providing analytical and forensic assistance. The Malware Information Sharing Platform was also used extensively, with over 730 threat intelligence pieces shared, containing almost 1.2 million indicators of compromise.
This coordinated crackdown is part of a broader strategy enabled by Europol’s amended Regulation, which strengthens its ability to support EU Member States by fostering cooperation with the private sector. This strategic approach has significantly enhanced the resilience of Europe’s digital ecosystem against cyber threats.
Featured image: Ideogram