Law enforcement has taken action against the use of the Cobalt Strike tool, where it was being used to infiltrate victims’ IT systems.

According to a statement by Europol, it flagged a number of IP addresses associated with criminal activity, along with a range of domain names used by criminal groups, for online service providers to disable unlicensed versions of the tool. 

This led to 690 IP addresses being flagged to online service providers in 27 countries, and 593 of these addresses being taken down.

According to the UK’s National Crime Agency, unlicensed versions of Cobalt Strike have been used over the past decade, and illicit versions of Cobalt Strike have been identified as being used in some of the biggest cyber incidents in recent times.

Its use has also been identified in multiple malware and ransomware investigations including those into RYUK, Trickbot and Conti attacks.

The Attack

The NCA said in the attack, cybercriminals deploy unlicensed versions of Cobalt Strike via spear phishing or spam emails, which attempt to get a target to click on links or open malicious attachments.

When a victim opens the link or document, a Cobalt Strike ‘Beacon’ is installed to give the threat actor remote access, enabling them to profile the infected host, download malware or ransomware and steal data to then extort the victim.

Paul Foster, director of threat leadership at the NCA, said: “Although Cobalt Strike is a legitimate piece of software, sadly cybercriminals have exploited its use for nefarious purposes.

“Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise.”

Years of Takedowns

In a conclusion of ‘Operation MORPHEUS‘ - an investigation led by the NCA and involving law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland and the United States - Europol said its European Cybercrime Centre (EC3) has been supporting this case since September 2021 by providing analytical and forensic support, and facilitating the information exchange between all the partners, whilst law enforcement used the Malware Information Sharing Platform to allow real-time threat intelligence to be shared.

Over the span of the whole investigation, over 730 pieces of threat intelligence were shared containing almost 1.2 million indicators of compromise.

Foster went on to say that international disruptions like these are the most effective way to degrade the most harmful cyber criminals, by removing the tools and services which underpin their operations.

“I would urge any businesses that may have been a victim of cyber crime to come forward and report such incidents to law enforcement,” he said.

Behind the Strike

Cobalt Strike is provided by the cybersecurity software company Fortra, designed to help legitimate IT security experts perform attack simulations that identify weaknesses in security operations and incident responses.

Fortra said it has taken significant steps to prevent the abuse of its software and has partnered with law enforcement throughout this investigation to protect the legitimate use of its tools. 

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.