UK’s NCA Leads Major Cobalt Strike Takedown

Written by

The UK’s National Crime Agency (NCA) has revealed details of an ambitious operation to disrupt the cybercrime supply chain by targeting IP addresses hosting the Cobalt Strike tool.

Cobalt Strike is a legitimate pen testing and threat emulation tool often abused by threat actors to find weaknesses in target networks and effectively backdoor systems.

Although developer Fortra has taken steps in the past to ensure its use is regulated and that the tool is only sold to legitimate customers, threat actors have been able to steal older versions and create cracked copies for distribution.

It is these that the NCA’s Operation Morpheus targeted, with help from Europol and law enforcement agencies in Australia, Canada, Germany, the Netherlands and Poland, as well as private sector partners.

Read more on Cobalt Strike: Government, Union-Themed Lures Used to Deliver Cobalt Strike Payloads

During the week commencing June 24, they came together to take action against 690 instances of unlicensed Cobalt Strike software hosted by 129 internet service providers in 27 countries. By the end of the week, 593 of these domains had been taken down, according to the NCA.

Private sector participants in the operation used the “Malware Information Sharing Platform” to share real-time threat intelligence with law enforcement, including nearly 1.2 million indicators of compromise (IoCs), the NCA added.

Lowering the Barrier to Entry

“Illegal versions of [Cobalt Strike] have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise,” argued NCA director of threat leadership, Paul Foster.

“Such attacks can cost companies millions in terms of losses and recovery. International disruptions like these are the most effective way to degrade the most harmful cybercriminals, by removing the tools and services which underpin their operations.”

Don Smith, VP of threat intelligence at Secureworks, described Cobalt Strike as “the Swiss army knife” of cybercrime and nation state threats.

“Cobalt Strike has long been the tool of choice for cybercriminals, including as a pre-cursor to ransomware. It is also deployed by nation state actors to facilitate intrusions in cyber-espionage campaigns,” he added.

“Used as a foothold, it has proven to be highly effective at providing the persistent backdoor to victims, facilitating intrusions of all forms. This disruption is to be welcomed, removing Cobalt Strike infrastructure used by criminals is always a good thing.”

What’s hot on Infosecurity Magazine?