Cobalt Strike: International law enforcement operation tackles illegal uses of ‘Swiss army knife’ pentesting tool

An international coalition of law enforcement agencies have taken action against hundreds of installations of the Cobalt Strike software, a penetration testing tool notoriously abused by both state-sponsored and criminal hackers involved in the ransomware ecosystem.

Britain’s National Crime Agency (NCA) announced on Wednesday that it coordinated global action against the tool, tackling 690 IP addresses hosting illegal instances of the software in 27 countries.

Cobalt Strike, now owned by a company called Fortra, was developed in 2012 to simulate how hackers break into victims’ networks. However, it works so well — easing the processes involved in trying to break into a victim’s network — that pirated versions of the tool have been widely deployed by real malicious actors over the last decade.

The action comes as law enforcement agencies continue to tackle ransomware gangs by targeting the ecosystem’s weak points — hitting the links in the chain that could have cascading effects, such as the seizure of bulletproof hosting provider LolekHosted.

Alongside its legitimate users and those in the ransomware space, Cobalt Strike has also been used by hackers linked to the Russian, Chinese and North Korean governments.

“Since the mid 2010s, pirated and unlicensed versions of the software downloaded by criminals from illegal marketplaces and the dark web have gained a reputation as the ‘go-to’ network intrusion tool for those seeking to build a cyber attack, allowing them to deploy ransomware at speed and at scale,” stated the NCA.

Most commonly, the unlicensed versions of Cobalt Strike are used in spear phishing emails that aim to install a beacon on the target’s device. This beacon then allows the attacker to profile and remotely access the victim’s network.

However its multifunctional nature, including a framework for managing the hackers' command and control infrastructure, makes the tool “the Swiss army knife of cybercriminals and nation state actors,” as described by Don Smith, the vice president of threat research at Secureworks Counter Threats Unit.

“Cobalt Strike has long been the tool of choice for cybercriminals, including as a precursor to ransomware. It is also deployed by nation state actors, e.g. Russian and Chinese – to facilitate intrusions in cyber espionage campaigns. Used as a foothold, it has proven to be highly effective at providing the back door to victims to facilitate intrusions in cyber espionage campaigns,” Smith said.

According to the NCA, the action tackling the rogue uses of the software took place last week and involved server takedowns as well as sending “abuse notifications” to ISPs to warn them that they could be hosting malware.

Paul Foster, the director of threat leadership at the NCA, stressed that Cobalt Strike was “a legitimate piece of software,” but that “sadly cybercriminals have exploited its use for nefarious purposes.”

“Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise,” Foster said.

“International disruptions like these are the most effective way to degrade the most harmful cyber criminals, by removing the tools and services which underpin their operations,” added the NCA director.

Despite the law enforcement action, “the threat from ransomware remains omnipresent and whilst this disruption is to be welcomed, criminals and nation state actors will almost certainly have a Plan B,” said Secureworks’ Smith.

Fortra has pledged to continue to work with law enforcement to identify and remove older versions of its software from the internet. The NCA retracted an earlier statement that the company had released a new version of the software with “enhanced security measures.” 

“Fortra has taken significant steps to prevent the abuse of its software and has partnered with law enforcement throughout this investigation to protect the legitimate use of its tools,” Europol stated.

“However, in rare circumstances, criminals have stolen older versions of Cobalt Strike, creating cracked copies to gain backdoor access to machines and deploy malware. Such unlicensed versions of the tool have been connected to multiple malware and ransomware investigations, including those into RYUK, Trickbot and Conti.”