Hundreds of servers with Cobalt Strike links taken offline in major police operation
Hundreds of servers that were serving a cracked, older version of Cobalt Strike to cybercriminals have been taken offline by a collaboration of law enforcement agencies led by Europol.
The EU law enforcement agency confirmed Operation MORPHEUS took place between June 24 and 28 and aimed to disrupt the distribution of the illegal version of the tool by hackers.
“The disruption does not stop here,” Europol said in its announcement. “Law enforcement will continue to monitor and carry out similar actions as long as criminals continue to abuse older versions of the tool.”
Cobalt Strike is a commercial penetration testing (pentesting) tool first released in 2012. It is designed to help security professionals simulate advanced persistent threats (APTs) in a networked environment, allowing them to test and improve their organization’s defenses against sophisticated cyberattacks. The tool offers features such as covert command and control, post-exploitation capabilities, and collaboration functionalities, which quickly made it a popular choice for read team operations and adversary emulation.
However, it also made it attractive to malicious actors. Hackers have hijacked the tool, using cracked versions or stolen licenses, to launch real cyberattacks. Today, Cobalt Strike is often used by cybercriminals and nation-state threat actors to deliver malware, espionage, and ransomware attacks. Originally intended for security assessments, the tool’s powerful features have made it a valuable asset for attackers looking to exploit vulnerabilities in their targets’ systems and evade detection.
Operation MORPHEUS, Europol further explained, was the culmination of an investigation that had already begun in 2021.
The law enforcement agency worked with counterparts in Australia, Canada, Germany, the Netherlands, Poland, the UK, the US, Bulgaria, Estonia, Finland, Lithuania, Japan and South Korea to target a total of 690 IP addresses in 27 countries. By the end of the operation, 593 of the addresses had been taken offline.
In addition to the police, a number of private companies participated in Operation MORPHEUS, including BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch and The Shadowserver Foundation. They helped with enhanced scanning, telemetry and analysis capabilities.