Global Operation Morpheus dismantles Cobalt Strike network: Law enforcement takes down criminal infrastructure used for ransomware and data breaches.
In a major international takedown, law enforcement and private companies joined forces to cripple a network of cybercriminals relying on Cobalt Strike. Operation Morpheus, launched three years back in September 2021 by Europol’s European Cybercrime Centre (EC3), targeted nearly 600 internet protocol (IP) addresses linked to malicious Cobalt Strike deployments between June 24 and June 28.
UK’s National Crime Agency (NCA), the FBI, and law enforcement agencies from Canada, Germany, the Netherlands, Poland, and Australia joined hands to dismantle the network. These include: Australian Federal Police, Royal Canadian Mounted Police, German Federal Criminal Police Office (Bundeskriminalamt), Netherlands National Police (Politie) and the Polish Central Cybercrime Bureau.
Private partners included BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch, and The Shadowserver Foundation. These partners used Europol’s Malware Information Sharing Platform to submit evidence and threat intelligence. The operation resulted in the sharing of over 730 pieces of threat intelligence and nearly 1.2 million indicators of compromise.
“This disruption activity represents more than two-and-a-half years of NCA-led international law enforcement and private industry collaboration to identify, monitor and denigrate its use,” the NCA’s statement read.
Operation Morpheus involved flagging known IP addresses associated with criminal activity and domain names used by criminal groups to online service providers to disable unlicensed versions of Cobalt Strike.
Agencies targeted 690 Cobalt Strike instances held by 129 ISPs in 30 countries. The NCA’s coalition neutralized 593 malicious instances by taking down servers and notifying ISPs of the malware’s hosting, ensuring they take action.
Cobalt Strike, a penetration testing tool created by developer Raphael Mudge and owned by Fortra, is although a legitimate software but its illegal versions have become the preferred choice for cybercriminals due to its effectiveness in deploying ransomware, stealing data, and maintaining control over compromised systems.
Illegal versions of Cobalt Strike have been used in major cyberattacks, including those by Ryuk, Trickbot, and Conti. According to Trellix’s telemetry, China hosts 43.85% of Cobalt Strike resources, with the US having a 19.08% share and the highest burden of attacks (45.04%).
The NCA’s director of threat leadership, Paul Foster, argues that illegal versions have reduced the entry barrier into cybercrime, allowing online criminals to launch damaging attacks with minimal technical expertise. Such attacks can cost companies millions in losses and recovery. This takedown disrupts these criminal operations, hindering their ability to launch attacks and extort victims.
Jake Moore, Global Cybersecurity Advisor, ESET commented on the latest development praising the role of law enforemenct agencies and emphasiing on phishing related attacks. “The NCA’s operation working alongside international agencies proves that a collaborative approach can be fortuitous in taking down or at least displacing criminal networks making it harder for illegal activity to thrive,” said Jake.
“This is yet another reminder of the importance of being vigilant to phishing attacks as this software is designed to begin with a spear phishing email. Criminal and ethical hackers often use similar or even the same tools to test security and exploit vulnerabilities,” he explained.
RELATED TOPICS
- Email claiming Kaseya patch drops Cobalt Strike malware
- Mozi Botnet Takedown: Who Killed the IoT Zombie Botnet?
- US Takes Down Notorious Warzone RAT Malware Operation
- Police Takes Down Dark Web Marketplace “Nemesis Market”
- 7-Year-Old 0-Day in MS Office Exploited to Drop Cobalt Strike