Hundreds of Cobalt Strike linked servers taken down in major police operation

An abstract image of a lock against a digital background, denoting cybersecurity.
(Image Credit: TheDigitalArtist / Pixabay) (Image credit: Pixabay)

Hundreds of servers distributing a cracked, older version of Cobalt Strike to cybercriminals have been taken offline by a collection of law enforcement agencies led by Europol.

The EU’s law enforcement agency confirmed Operation MORPHEUS took place between June 24 and 28, and its goal was to disrupt hackers’ distribution of the unlicensed version of the tool.

“The disruption does not end here,” Europol said in its announcement. “Law enforcement will continue to monitor and carry out similar actions as long as criminals keep abusing older versions of the tool.”

Hijacking a legitimate tool

Cobalt Strike is a commercial penetration testing (pentest) tool first released back in 2012. It was designed to help security pros simulate advanced persistent threats (APTs) in a network environment, allowing them to test and improve their organization's defenses against sophisticated cyber-attacks. The tool offers features such as covert command and control, post-exploitation capabilities, and collaboration functionalities, which quickly made it a popular choice for read team operations and adversary emulation.

However, it also made it attractive for malicious actors. Hackers have hijacked the tool, using cracked versions or stolen licenses, to conduct real-world cyber-attacks. Today, Cobalt Strike is frequently employed by cybercriminals and nation-state threat actors for malware delivery, espionage, and ransomware attacks. The tool's powerful features, originally meant for security assessments, have made it a valuable asset for attackers seeking to exploit vulnerabilities in their targets' systems and evade detection. 

Operation MORPHEUS, Europol further explained, was the culmination of an investigation that first began back in 2021.

The law enforcement organization partnered up with its peers in Australia, Canada, Germany, the Netherlands, Poland, the UK, US, Bulgaria, Estonia, Finland, Lithuania, Japan, and South Korea, to target a total of 690 IP addresses across 27 countries. By the end of the operation, 593 of the addresses were pushed offline.

Besides the police, a number of private companies also participated in Operation MORPHEUS, including BAE Systems Digital Intelligence, Trellix, Spamhaus, and The Shadowserver Foundation, lending their hand with enhanced scanning, telemetry and analytical capabilities.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.