Law enforcement shuts down illegal versions of Cobalt Strike

4 Jul 2024

Image: © 0635925410/

Cobalt Strike is a penetration testing tool, but criminals have pirated the software for more than a decade to launch cyberattacks.

An international operation has managed to take down hundreds of malicious versions of Cobalt Strike software, which were used by criminals to launch cyberattacks.

Cobalt Strike is a penetration testing tool that is used to check for vulnerabilities in networks to improve cybersecurity. It is a legitimate software, but criminals have used pirated and unlicenced versions of the software for years for malicious activities, such as infiltrating company networks and deploying ransomware.

There are also various tools, free training guides and videos that come with legal versions of the software, which makes it easier for criminals to learn how to use it for their own purposes.

To address this issue that has existed for more than a decade, an international task force led by the UK’s National Crime Agency (NCA) moved to disrupt 690 individual instances of malicious Cobalt Strike software, which were located at 129 internet service providers in 27 countries.

This disruption activity occurred after more than two-and-a-half years of collaboration between law enforcement and private industry to identify these malicious forms of the software.

The disruption took place last week and the NCA said that 593 of the 690 instances had been taken down by the end of the week.

“Although Cobalt Strike is a legitimate piece of software, sadly cybercriminals have exploited its use for nefarious purposes,” said Paul Foster, NCA director of threat leadership. “Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise.

“Such attacks can cost companies millions in terms of losses and recovery.”

The NCA said illegal versions of Cobalt Strike have been identified as being used in some of the biggest cyberattacks in recent times, being linked to RYUK, Trickbot and Conti cyberattacks.

“International disruptions like these are the most effective way to degrade the most harmful cybercriminals, by removing the tools and services which underpin their operations,” Foster said.

The NCA was also involved in the major operation that disrupted the LockBit ransomware gang earlier this year.

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.

Leigh Mc Gowran is a journalist with Silicon Republic