Europol has announced the successful takedown of nearly 600 servers running unlicensed versions of Cobalt Strike, a tool often misused by hackers. This action, part of an international operation known as Operation Morpheus, was carried out between June 24 and June 28. Europol confirmed the operation’s success on Wednesday.
Cobalt Strike, developed by the cybersecurity company Fortra, is a legitimate penetration testing tool designed for IT security experts to simulate cyberattacks and identify system vulnerabilities. However, older, cracked versions of this software have been exploited by cybercriminals to launch actual attacks, including the deployment of malware and ransomware. A single license costs $5,900 per year, hence the cracked versions.
Europol says these unlicensed versions have been linked to several high-profile malware investigations, such as those involving RYUK, Trickbot, and Conti.
During Operation Morpheus, law enforcement agencies identified and flagged 690 IP addresses and various domain names associated with criminal activities. These were provided to online service providers, who then disabled the unlicensed versions of Cobalt Strike operating from these addresses. By the end of the week, 593 of these IP addresses had been successfully taken offline.
In a press release, Europol emphasized the critical role of private sector partners in this operation, noting, “This novel approach is possible thanks to Europol’s amended Regulation which has strengthened the Agency’s capacity to better support EU Member States, including by collaborating with the private sector.”
Led by the British National Crime Agency (NCA), the operation saw collaboration between several international law enforcement agencies and private sector partners. Participating countries included Australia, Canada, Germany, Netherlands, Poland, and the United States, with Europol coordinating the efforts.
While invaluable to IT security professionals for legitimate purposes, Cobalt Strike can be a potent weapon in the wrong hands. This advanced penetration testing tool allows security experts to simulate cyberattacks and identify network vulnerabilities, comprehensively assessing an organization’s defenses. However, when used maliciously, Cobalt Strike enables cybercriminals to perform various nefarious activities. These include deploying malware and ransomware, establishing backdoors for persistent access, conducting lateral movements across networks, and exfiltrating sensitive data.
This operation marks a significant step in mitigating such threats and demonstrates the power of international cooperation in the fight against cybercrime.
