A group of security agencies led by Europol have taken down hundreds of servers that were distributing an old, pirated version of Cobalt Strike to cybercriminals.
The EU law enforcement agency confirmed that Operation MORPHEUS took place between June 24 and 28, and that its goal was to disrupt the distribution of the unlicensed version of the tool by hackers.
“The disruption does not end here,” Europol said in its statement. “Law enforcement will continue to monitor and carry out similar actions as long as criminals continue to abuse older versions of the tool.”
Cobalt Strike is a commercial penetration testing (pentest) tool that was first released in 2012. It was designed to help security professionals simulate advanced persistent threats (APTs) in a network environment, allowing them to test and improve their organization’s defenses against sophisticated cyberattacks. The tool offers features such as covert command and control, post-exploitation capabilities, and collaboration functionalities, which quickly made it a popular choice for adversary scanning and emulation team operations.
However, it also made it attractive to malicious actors. Hackers have hijacked the tool, using pirated versions or stolen licenses, to carry out real-world cyberattacks. Today, cybercriminals and nation-state threat actors frequently use Cobalt Strike for malware distribution, espionage, and ransomware attacks. Originally intended for security assessments, the tool’s powerful features have made it a valuable asset for attackers looking to exploit vulnerabilities in their targets’ systems and evade detection.
Operation MORPHEUS, Europol explained, was the culmination of an investigation that began in 2021.
The public security organization partnered with peers from Australia, Canada, Germany, the Netherlands, Poland, the United Kingdom, the United States, Bulgaria, Estonia, Finland, Lithuania, Japan, and South Korea to attack a total of 690 IP addresses in 27 countries. By the end of the operation, 593 of the addresses had been taken offline.
In addition to law enforcement, Operation MORPHEUS involved a number of private companies, including BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch and The Shadowserver Foundation, which provided enhanced scanning, telemetry and analysis capabilities.