Microsoft’s Digital Crimes Unit, cybersecurity firm Fortra and the Health Information Sharing & Analysis Center announced legal action Thursday to seize domains related to criminal activity involving cracked copies of the security testing application Cobalt Strike, which has become a favorite tool for cybercriminals to carry out attacks around the world.
Cobalt Strike, an adversary emulation tool that information security professionals use to evaluate network and system defenses to enable better security, like other legitimate hacking tools, is regularly abused by cybercriminals as part of attacks ranging from financially motived cybercrime to high-end state-aligned attacks.
Fortra, the maker of Cobalt Strike, works to prevent Cobalt Strike getting into the hands malicious hackers, but manipulated versions of the software have inevitably proliferated online. Thursday’s action attempts to disrupt the use of these cracked, older versions of Cobalt Strike that cybercriminals widely use to carry out attacks, especially to deploy ransomware.
“If you identify their preferred method of attack and make it no longer usable that’s a good thing,” said Amy Hogan-Burney, Microsoft’s general manager for cybersecurity policy and protection.
The court order names a range of entities and groups the companies allege misuse their technologies, including the LockBit and Conti ransomware groups and a series of cybercrime operations tracked by Microsoft under various designations. In a 223-page complaint filed in the U.S. District Court in the Eastern District of New York, the companies detail known IP addresses associated with the criminal activity, along with the range of domain names utilized by the criminal groups.
The court order instructs data centers and hosting providers to block traffic to the known IPs and domains and “completely disable the computers, servers, electronic data storage devices” and other infrastructure associated with the defendants’ activities, as well as transfer control of the IPs and domains to Microsoft.
Microsoft has in recent years pioneered the use of domain seizure as a way to disrupt the technical infrastructure malicious hackers rely on, and Thursday’s action targeting Cobalt Strike builds on that earlier work to carry out the novel targeting of a hacking tool. Thursday’s legal order targets 16 anonymous “John Doe” actors engaged in a range of criminal behavior, from ransomware activity to malware distribution and development.
The action against illicit Cobalt Strike applications represents the culmination of what Hogan-Bruney said was a year-long investigation, and Thursday’s attempt to disrupt use of Cobalt Strike is likely only a first step to challenge illicit use of the hacking tool. Malicious actors will likely be able to retool their infrastructure, and Cobalt Strike relies on dynamic hosting, creating a challenge in disrupting it use.
Hogan-Burney said that investigators in her office have coined a joke about the operation that’s by now well-worn: “We call this an advanced persistent disruption.”
“It’s insufficient to think of it as a single action like we used to,” she said.
Legitimate cybersecurity researchers use Cobalt Strike to emulate the work of an attacker and to probe weaknesses in computer systems and maintain a long-term, covert presence on a network. But in the wrong hands, Cobalt Strike provides an attacker with sophisticated hacking tools, one that offers highly sophisticated capabilities off the shelf — while having to write less custom code that would make it easier to trace an attack.
That’s made Cobalt Strike a favorite of malicious hackers in recent years. The ransomware gang Conti used it in attacking the Irish healthcare system in 2021 and in a crippling attack on the Costa Rican government last year. Indeed, ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries around the world, Hogan-Burney said in a blog announcing Thursday’s action. A June 2021 analysis from cybersecurity firm Proofpoint reported a 161% increase of threat actors using Cobalt Strike between 2019 and 2020, and said it was a “high-volume threat in 2021.”
Furthermore, internal chat logs from the Conti ransomware group revealed in the weeks after the Russian invasion of Ukraine showed that the group invested tens of thousands of dollars in acquiring legitimate licenses for Cobalt Strike via a third-party company, cybersecurity journalist Brian Krebs reported at the time.
Fortra executives told CyberScoop they recognize the power of the tool and its prevalence in the cybercrime ecosystem and were happy to participate.
“As you can imagine, an effort such as this takes time to research, document, and coordinate before legal action can start,” said Matthew Schoenfeld, president of Fortra. “It’s taken months of targeted hard work and joint investigations and we’re happy to be working with Microsoft and H-ISAC to reduce risk and help keep bad actors at bay.”
Bob Erdman, the company’s associate vice president of research and development, said that “Cobalt Strike is the go-to security tool used legitimately by reputable entities to help strengthen their security posture and prevent bad actors from compromising their infrastructure. This action is an example of industry members combining resources and expertise to block the criminal abuse of legitimate security tools, making it harder for malicious actors to operate.”