Map of the world highlighting major cities involved in Operation MORPHEUS which dismantled 600 cybercrime servers

A coordinated law enforcement operation, codenamed MORPHEUS, has successfully dismantled close to 600 servers utilized by cybercriminal groups. These servers were part of an attack infrastructure associated with the Cobalt Strike framework.

Between June 24 and 28, law enforcement agencies, including Europol, targeted older, unlicensed versions of the Cobalt Strike red teaming tool. The operation led to 590 of the 690 flagged IP addresses being rendered inaccessible.

Initiated in 2021, this joint operation was spearheaded by the U.K. National Crime Agency (NCA) and involved authorities from multiple countries, including Australia, Canada, Germany, the Netherlands, Poland, and the U.S. Support also came from officials in Bulgaria, Estonia, Finland, Lithuania, Japan, and South Korea.

Cobalt Strike is a popular tool among IT security experts for simulating adversaries and identifying security weaknesses. However, cracked versions of the software have been frequently abused by malicious actors for post-exploitation activities.

The tool has been described as a “Swiss army knife” for cybercriminals and nation-state actors. It is widely used in cyber espionage campaigns by nation-state actors from countries like Russia and China and as a precursor to ransomware attacks. This tool provides persistent backdoor access to victims, facilitating further intrusions.

Data reveals that the U.S., India, Hong Kong, Spain, and Canada account for over 70% of the targets using Cobalt Strike. Most of the Cobalt Strike infrastructure is hosted in China, the U.S., Hong Kong, Russia, and Singapore.

Cobalt Strike employs a payload known as Beacon, which uses Malleable C2 profiles to modify the characteristics of its web traffic to avoid detection. Despite being a legitimate tool, its illegal versions have significantly lowered the entry barriers to cybercrime, making it easier for criminals to launch damaging ransomware and malware attacks with minimal technical expertise. These attacks can result in substantial financial losses and recovery costs for companies.

In a related development, Spanish and Portuguese law enforcement agencies have arrested 54 individuals involved in crimes against elderly citizens. The criminals posed as bank employees and tricked victims into divulging personal information under the guise of resolving account issues. Subsequently, they visited the victims’ homes to pressure them into giving away credit cards, PIN codes, and other sensitive information. This scheme allowed the criminals to take control of the victims’ bank accounts and make unauthorized cash withdrawals and purchases.