Europol led a coordinated global operation named Operation Morpheus, resulting in the dismantling of 593 Cobalt Strike servers used for criminal activities. This crackdown specifically targeted older, unlicensed versions of the Cobalt Strike tool. Law enforcement flagged 690 IP addresses associated with criminal activity in 27 countries, and 593 of these addresses were successfully taken down by the end of the operation.
What is Operation Morpheus?
Operation Morpheus is a joint effort involving Europol and law enforcement authorities from several countries, such as the United States, Australia, Canada, Germany, the Netherlands, Poland, and the United Kingdom and was supported by private industry partners like BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch, and The Shadowserver Foundation. This action, coordinated by Europol, marked the culmination of a complex investigation that began three years ago in 2021.
Over the course of a week in late June, law enforcement agencies identified known IP addresses associated with criminal activity and domain names that formed part of the attack infrastructure used by criminal groups.
Europol emphasized that the success of this operation was highly reliant on collaboration with the private sector, and this innovative approach was made possible due to Europol’s amended Regulation, which facilitates stronger collaboration with the private sector.
Throughout the investigation, Europol’s European Cybercrime Centre (EC3) played a key role in providing analytical and forensic support and facilitating information exchange between partners. Moreover, Europol’s EC3 organized over 40 coordination meetings between law enforcement agencies and private partners and set up a virtual command post to coordinate law enforcement action across the globe during the week of the operation.
What is Cobalt Strike?
The original tool, Cobalt Strike, a red teaming and threat emulation software, was originally developed and designed by cybersecurity software company Fortra and is intended for legitimate use by IT security experts to perform attack simulations. However, unauthorized copies of Cobalt Strike have been used by malicious actors to conduct various cyber attacks. The misuse of Cobalt Strike by cybercriminals has been a cause for concern, with the tool being associated with ransomware attacks and cyberespionage campaigns.
The culprits have been using cracked copies of the software to gain unauthorized access to compromised networks, deploy malicious payloads, and steal sensitive data. Moreover, threat actors affiliated with foreign governments, such as Russia, China, and Iran, have been utilizing these cracked versions for their malicious activities. Despite efforts by Fortra to prevent the misuse of its software, unlicensed versions of Cobalt Strike have been linked to multiple malware and ransomware investigations, including those into RYUK, Trickbot, and Conti.
Why Is Operation Morpheus a Big Deal?
Operation Morpheus represents a significant step in combating cybercriminal activities associated with the Cobalt Strike and underscores the importance of collaboration between law enforcement and the private sector in addressing cybersecurity threats. In addition, Operation Morpheus is also considered one of the best collaborative operations by the agencies due to the sheer scale of participation and the approach between law enforcement agencies and private industry partners facilitated by Europol.
According to a recent press release by Europol, “Law enforcement used a platform, known as the Malware Information Sharing Platform (famously MISP), to allow the private sector to share real-time threat intelligence with law enforcement. Over the span of the whole investigation, over 730 pieces of threat intelligence were shared containing almost 1.2 million indicators of compromise (IOCs).” This demonstrates a concerted effort to address the abuse of legitimate tools for illicit purposes and enhance overall resilience against cyber threats.
Increased Crack Down On Cyber Crime Groups By Law Enforcement Agencies
This is not the first instance where law enforcement agencies globally have cracked down on cybercrime groups. The FBI’s takedown of the LockBit ransomware operation in February 2024, though, was a temporary but required blow to cybercriminals. This coordinated effort disrupted the infrastructure behind LockBit, a well-known ransomware strain, and resulted in numerous arrests, demonstrating the ongoing commitment to combating ransomware attacks.
Operation Endgame was another major joint effort led by Europol and other law enforcement agencies in the United States and Europe in May 2024. It targeted droppers including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot. This coordinated action resulted in 4 arrests (1 in Armenia and 3 in Ukraine), 16 location searches (1 in Armenia, 1 in the Netherlands, 3 in Portugal and 11 in Ukraine), More than 100 servers seized or disrupted in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, the United States and Ukraine, and Over 2 000 domains seized for law enforcement.
Earlier this year, in January 2024, the US FBI and Department of Justice (DOJ) issued takedown action against much of the Volt Typhoon’s botnet infrastructure. KV Botnet, also known as Storm Botnet, is a popular botnet family operated by threat groups such as the Volt Typhoon. As part of the investigation activities, the FBI revealed that the SOHO routers were being infected and leveraged to conduct disruptive attacks against the critical infrastructures in the US using them as bots.
The coordinated law enforcement action has succeeded in disrupting the KV botnet infrastructure operated by People’s Republic of China (PRC) state-sponsored hackers, compromising hundreds of US-based small office/home office (SOHO) routers, as reported in a press release by the Department of Justice.
For more cybersecurity news and updates, follow us on Cybersecurity – The SOC Labs.
Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The SOC Labs assumes no liability for the accuracy or consequences of using this information.
Discover more from The SOC Labs
Subscribe to get the latest posts sent to your email.