The National Crime Agency has coordinated global action against illicit software which has been used by cybercriminals for over a decade to infiltrate victims’ IT systems and conduct attacks. Unlicensed versions of Cobalt Strike, a penetration testing tool used to check for vulnerabilities in a company’s network and help improve cyber security, were targeted during a week of action in late June.

Since the mid 2010’s, pirated and unlicensed versions of the software downloaded by criminals from illegal marketplaces and the dark web have gained a reputation as the ‘go-to’ network intrusion tool for those seeking to build a cyber attack, allowing them to rapidly deploy large scale ransomware.

Due to the range of tools, free training guides and videos that come with legal versions of the software, those adopting it for criminal use require low levels of sophistication and money.
This disruption activity represents more than two-and-a-half years of NCA-led international law enforcement and private industry collaboration to identify, monitor and denigrate its use. Action was taken against 690 individual instances of malicious Cobalt Strike software located at 129 internet service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down.

This was achieved through the enforcement agencies taking down servers and amplified by ‘abuse notifications’ from law enforcement and private industry partners, highlighting to service providers that they may be hosting malware. The operation was jointly conducted with Europol, who assisted with international coordination, the FBI, Australian Federal Police, Royal Canadian Mounted Police, German Federal Criminal Police Office (Bundeskriminalamt), Netherlands National Police (Politie), and the Polish Central Cybercrime Bureau.

Paul Foster, director of threat leadership at the National Crime Agency, said: “Although Cobalt Strike is a legitimate piece of software, sadly cybercriminals have exploited its use for nefarious purposes. Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise.

“Such attacks can cost companies millions in terms of losses and recovery. International disruptions like these are the most effective way to degrade the most harmful cyber criminals, by removing the tools and services which underpin their operations. I would urge any businesses that may have been a victim of cyber crime to come forward and report such incidents to law enforcement.”

Illicit versions of Cobalt Strike have been identified as being used in some of the biggest cyber incidents in recent times. Its use has also been identified in multiple malware and ransomware investigations including those into RYUK, Trickbot and Conti attacks. Cobalt Strike owners Fortra says it will continue to work with law enforcement to identify and remove older and malicious versions of the programme from the internet.

---