NCA helps degrade illegal versions of Cobalt Strike (Image Credit: Spenser H on Unsplash)The National Crime Agency (NCA) has coordinated global action to degrade illegal versions of Cobalt Strike. Although penetration testing teams legally use the software, cybercriminals have used it to attack organisations. This action aims to change that dynamic.

Paul Foster, Director of Threat Leadership at the National Crime Agency, said, “Although Cobalt Strike is a legitimate piece of software, sadly cybercriminals have exploited its use for nefarious purposes.

“Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise. Such attacks can cost companies millions in terms of losses and recovery.

“International disruptions like these are the most effective way to degrade the most harmful cyber criminals, by removing the tools and services which underpin their operations. I would urge any businesses that may have been a victim of cyber crime to come forward and report such incidents to law enforcement.”

Why was Cobalt Strike targeted?

Cobalt Strike is a commercial penetration testing tool red teams use to test the security of networks and computer systems. It consists of tools and utilities for probing and conducting reconnaissance on systems and launching attacks against systems.

Once a system is breached, it also has a command and control framework. It uses a payload called Beacon, which feeds back information on breached systems and allows remote access. Finally, it enables reports and analysis to be carried out, which, for red teams, can be fed back to IT security teams to remediate vulnerabilities.

The penetration suite is widely seen as the best around, at least in commercial circles. Therefore, it is no surprise that cybercriminals have cracked the security around it and use it themselves.

That use by cybercriminals sparked this multi-national operation to block the use of 690 illegal copies of Cobalt Strike. Taking those instances down meant dealing with 129 internet service providers in 27 countries. However, not all ISPs were willing to cooperate. Only 593 instances were effectively taken down.

A public-private cybersecurity partnership

Such takedowns always involve cooperation between law enforcement in multiple countries. In this case, the UK National Crime Agency and Europol were jointly in control. Other agencies they worked with included the FBI, Australian Federal Police, Royal Canadian Mounted Police, German Federal Criminal Police Office (Bundeskriminalamt), Netherlands National Police (Politie) and the Polish Central Cybercrime Bureau.

More interestingly, the NCA has named several private organisations that supported the takedown. These include BAE Systems Digital Intelligence, Trellix, Shadowserver, Spamhaus, and Abuse CH.

Other private organisations also shared information through the Malware Information Sharing Platform. In total, the NCA says that 730 pieces of threat intelligence containing almost 1.2 million indicators of compromise were shared.

The two images below show the number of Cobalt Strike Beacons and potential Beacons for a few days before the action and ten days after. As can be seen, there were distinct differences before and after that period.

Cobalt Strike Beacons pre-takedown (Image credit: Shadowserver)
Fig 1: Cobalt Strike Beacons post-takedown
Cobalt Strike Beacons post-takedown (Image credit: Shadowserver)
Fig 2: Cobalt Strike Beacons post-takedown (Image credit:

Enterprise Times: What does this mean?

The successful takedown of so many illegal instances of Cobalt Strike is a major coup for law enforcement. It will also please Cobalt Strike owners Fortra. They also intend to continue working with law enforcement to remove older and cracked software versions.

Despite that optimism, the fact that 15% of targeted instances were left untouched will disappoint Fortra and the various law enforcement agencies involved.

The numbers in Figure 3 below will also disappoint. Those numbers were taken a week after the operation ended and show how many Beacons suddenly appeared. Do they represent a huge wave of new attacks? It will take time before that becomes clear.

Cobalt Strike Beacons July 4 2024 (Image credit: Shadowserver)
Cobalt Strike Beacons July 4 2024

LEAVE A REPLY

Please enter your comment!
Please enter your name here