Nearly 600 IP addresses were recently taken offline during an international police operation. The operation involved national police forces of several European countries as well as Europol. The addresses were being used to distribute illegal versions of the Cobalt Strike penetration tool.
During so-called Operation Morpheus, led by the UK National Crime Agency, international police forces identified 690 IP addresses traced to internet service providers in 27 countries that were distributing potentially illegal versions of the Cobalt Strike penetration tool. Following the police action, 593 of these IP addresses were actually taken offline.
In addition to the British National Crime Agency, police organizations from the United States, Canada, Australia, Germany, Poland, and the Netherlands participated. The investigation received support from other authorities from Bulgaria, Estonia, Lithuania, Finland, Japan, and South Korea. Europol coordinated the international action overall.
Cooperation with private parties
Furthermore, the investigative agencies cooperated with private entities such as BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch and The Shadowserver Foundation. These private parties were given access to a Europol-managed malware information-sharing platform for sharing real-time threat intelligence with the various police organizations. Throughout the investigation, the organizations used it to share 730 pieces of threat intelligence, pointing to nearly 1.2 million malicious indicators.
Europol said in a statement that more actions will follow this operation. The international police organization will continue to monitor the illegal spread of Cobalt Strike and retake action when necessary.
Legitimate tool that is often abused
Cobalt Strike is a legitimate penetration tool from Fortra. Among other things, it allows infected systems to execute remote commands, which come from a remote server that can be controlled by a third party.
A license for the penetration tool is not cheap: 5,900 dollars (about 5,460 euros). All buyers are screened before they get access. Still, many old, leaked, and cracked versions of the tool are in circulation, and hackers abuse them widely.
For example, the tool is very popular in ransomware attacks and is popping up more frequently. Hackers also use the tool for persistent access to affected infrastructures, such as “harvesting” sensitive data.
Also read: Hard action against illegal Cobalt Strike providers