Header image

Europol and Law Enforcement Take Down Illegitimate Uses of Cobalt Strike

IP numbers of unlicensed versions of the software taken down in coordinated effort.


Law enforcement has taken action against the use of the Cobalt Strike tool, where it was being used to infiltrate victims’ IT systems.

According to a statement by Europol, it flagged a number of IP addresses associated with criminal activity, along with a range of domain names used by criminal groups, for online service providers to disable unlicensed versions of the tool. 

This led to 690 IP addresses being flagged to online service providers in 27 countries, and 593 of these addresses being taken down.

According to the UK’s National Crime Agency, unlicensed versions of Cobalt Strike have been used over the past decade, and illicit versions of Cobalt Strike have been identified as being used in some of the biggest cyber incidents in recent times.

Its use has also been identified in multiple malware and ransomware investigations including those into RYUK, Trickbot and Conti attacks.

The Attack

The NCA said in the attack, cybercriminals deploy unlicensed versions of Cobalt Strike via spear phishing or spam emails, which attempt to get a target to click on links or open malicious attachments.

When a victim opens the link or document, a Cobalt Strike ‘Beacon’ is installed to give the threat actor remote access, enabling them to profile the infected host, download malware or ransomware and steal data to then extort the victim.

Paul Foster, director of threat leadership at the NCA, said: “Although Cobalt Strike is a legitimate piece of software, sadly cybercriminals have exploited its use for nefarious purposes.

“Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise.”

Years of Takedowns

In a conclusion of ‘Operation MORPHEUS‘ - an investigation led by the NCA and involving law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland and the United States - Europol said its European Cybercrime Centre (EC3) has been supporting this case since September 2021 by providing analytical and forensic support, and facilitating the information exchange between all the partners, whilst law enforcement used the Malware Information Sharing Platform to allow real-time threat intelligence to be shared.

Over the span of the whole investigation, over 730 pieces of threat intelligence were shared containing almost 1.2 million indicators of compromise.

Foster went on to say that international disruptions like these are the most effective way to degrade the most harmful cyber criminals, by removing the tools and services which underpin their operations.

“I would urge any businesses that may have been a victim of cyber crime to come forward and report such incidents to law enforcement,” he said.

Behind the Strike

Cobalt Strike is provided by the cybersecurity software company Fortra, designed to help legitimate IT security experts perform attack simulations that identify weaknesses in security operations and incident responses.

Fortra said it has taken significant steps to prevent the abuse of its software and has partnered with law enforcement throughout this investigation to protect the legitimate use of its tools. 


Dan Raywood Senior Editor SC Media UK

Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Upcoming Events

08
Aug
Webinar

How to Automate the Lifecycle of Joiners, Movers, and Leavers With No-Code Solutions

Streamlining the lifecycle of joiners, movers, and leavers using no-code automation

The process of onboarding new employees and quickly removing departing staff profiles can be both time-consuming and labour-intensive.
In this live webinar, we will look at how to streamline these processes to save time and resources, and providing a smooth experience for both admins and employees.

Key takeaways:
  • Understanding the importance of securing the joiners, movers and leavers process
  • Exploring successful attacks that occurred due to errors in managing these transitions
  • Discover which advanced controls can be utilized
image image image