In a groundbreaking move, law enforcement agencies from around the world teamed up with private companies to dismantle a network of cybercriminals heavily reliant on the infamous Cobalt Strike tool. This joint effort, known as Operation Morpheus, was initiated by Europol’s European Cybercrime Centre (EC3) back in September 2021 and aimed to disrupt nearly 600 internet protocol (IP) addresses associated with malicious Cobalt Strike deployments between June 24 and June 28.
The collaboration involved the UK’s National Crime Agency (NCA), the FBI, and law enforcement bodies from Canada, Germany, the Netherlands, Poland, and Australia. Additionally, private partners such as BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch, and The Shadowserver Foundation contributed to the operation by utilizing Europol’s Malware Information Sharing Platform to provide evidence and threat intelligence. Overall, the operation yielded over 730 pieces of threat intelligence and close to 1.2 million indicators of compromise.
According to a statement from the NCA, this coordinated effort spanned more than two-and-a-half years of international collaboration between law enforcement agencies and private industry partners to identify, monitor, and impair the use of Cobalt Strike by cybercriminals.
The primary objective of Operation Morpheus was to identify and flag known IP addresses linked to criminal activities and domains utilized by illicit groups to online service providers. This information enabled the disabling of unlicensed versions of Cobalt Strike. As part of the operation, authorities targeted 690 instances of Cobalt Strike held by 129 Internet Service Providers (ISPs) in 30 different countries. The coalition led by the NCA successfully neutralized 593 malicious instances by taking down servers and alerting ISPs about the hosting of malware, prompting them to take necessary action.
Cobalt Strike, originally developed as a penetration testing tool by Raphael Mudge and owned by Fortra, has been abused by cybercriminals for deploying ransomware, exfiltrating data, and maintaining control over compromised systems. The illegal versions of this tool have been involved in several high-profile cyberattacks, including those conducted by Ryuk, Trickbot, and Conti. According to data from Trellix, China hosts the majority of Cobalt Strike resources, while the US bears the highest burden of attacks.
Paul Foster, the NCA’s director of threat leadership, highlighted how the availability of illegal versions of Cobalt Strike has lowered the barrier to entry for cybercrime, allowing even less technically-skilled individuals to launch impactful attacks that can result in significant financial losses for targeted organizations. The takedown of this network is anticipated to disrupt criminal operations, impeding their ability to carry out attacks and extort victims.
Cybersecurity experts like Jake Moore, Global Cybersecurity Advisor at ESET, commended the collaborative efforts of law enforcement agencies and stressed the importance of vigilance against phishing attacks. Moore emphasized the critical role of phishing emails in the deployment of Cobalt Strike and highlighted the significance of a unified approach in combating criminal networks.
In conclusion, the successful dismantling of the Cobalt Strike network through Operation Morpheus underscores the necessity of international cooperation and proactive measures to combat cybercrime effectively. This operation serves as a significant blow to cybercriminals utilizing illegal versions of Cobalt Strike, making it harder for them to carry out malicious activities and enhancing the overall cybersecurity landscape.