Europol operation Morpheus: Around 600 IPs and domains taken down
Europol's Operation Morpheus used unlicensed Cobalt Strike instances to knock out IPs and domains with criminal connections.
(Image: Maksim Shmeljov/Shutterstock.com)
In the week from June 24 to 28, Europol blocked 593 IP addresses of internet providers linked to criminal activities and the Cobalt Strike remote access tool (RAT). The operation is the culmination so far of Operation Morpheus, under which international law enforcement agencies have been investigating since September 2021.
The starting point is old, unlicensed or cracked versions of the "remote administration software" Cobalt Strike. During the week of action, investigators collected known IP addresses associated with criminal activity along with several domain names so that online service providers can shut down the unlicensed versions of Cobalt Strike. The collection included 690 IP addresses from 27 countries. By the end of the week, almost 600 of the addresses had been knocked out.
Backdoor or remote administration: Cobalt Strike
Cyber criminals like to use the Cobalt Strike software to gain control of computers and networks that they have previously broken into. For example, it allows the installation of additional software and offers access from the network. Cobalt Strike is actually intended for attack simulations and is equipped with compelling functions. Criminals also offer computers equipped with this backdoor as part of "as-a-service" for rent, for example. Of course, the fraudsters themselves do not pay any license fees, but usually use older, cracked versions of the RAT. Europol explains that such unlicensed Cobalt Strike versions have often been misused to gain backdoor access and install malware. They have found them in several investigations of malware and ransomware incidents, for example in the context of Ryuk, Trickbot and Conti.
Companies from the private sector actively assisted in the operation, Europol writes in the press release. In addition to Cobalt Strike manufacturer Fortra, BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch and the Shadowserver Foundation were also involved. The amended rules for Europol allow this cooperation with the private sector, which gives investigators access to real-time information and a broader view of criminals' tactics. This also increases the resilience of the European digital ecosystem.
Law enforcement agencies use a platform known as the Malware Information Sharing Platform, which allows the private sector to share real-time information with them. Over the course of the entire investigation to date, 730 threat information entries and almost 1.2 million Indicators of Compromise (IOCs) have been entered there. Various authorities have participated in the global campaign: the Australian Federal Police (AFP), Canada's Royal Canadian Mounted Police (RCMP), the Federal Criminal Police Office (BKA) from Germany, the National Police (Politie) from the Netherlands, the Polish Central Cybercrime Bureau (Centralne Biuro Zwalczania Cyberprzestpczoci) from Poland, the National Crime Agency (NCA) from the United Kingdom. Finally, the U.S. Department of Justice (DoJ) from the US Department of Justice (DoJ) and the Federal Bureau of Investigation (FBI).
"The operation does not end here. Law enforcement will continue to monitor and launch similar actions as long as cybercriminals continue to use older versions of the tool," the Europol investigators added.
(dmk)