Europol, an EU law enforcement agency, conducted an operation which lasted for a week, that took place from June 24 to June 28, 2024, resulted in the takedown of nearly 600 Internet Protocol (IP) addresses used by cyber criminals to penetrate networks of victims by distributing unlicensed versions of the Cobalt Strike red teaming tool. According to Europol, “A total of 690 IP addresses were flagged to online service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down.” The investigation was led by the UK National Crime Agency and involved law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland, and the United States, and supported by various private sector partners, including BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch, and The Shadowserver Foundation.

Cobalt Strike is a popular commercial penetration testing tool provided by Fortra, a cyber security software company. It is used by security professionals to perform attack simulations that identify weaknesses in the security of networks and systems. It includes a range of features and capabilities, such as integrated tools for assessing network and system security, social engineering and exploit tools, a command and control (C2) framework for remotely controlling and monitoring penetration testing activities, and a reporting and analysis system.

Europol, headquartered in Hague, Netherlands, officially known as the European Union Agency for Law Enforcement Cooperation, is an agency that directly reports to the European Union (EU). Its mission is to support its Member States in preventing and combating all forms of serious international and organized crime, cyber crime and terrorism. Europol also works with many non-EU partner states and international organizations. Its role is to help make Europe safer by assisting law enforcement authorities in EU member countries.

However, it’s important to note that Europol has no executive powers. Its officials are not entitled to arrest suspects, conduct independent investigations, or act without prior approval from competent authorities in the member states. Europol’s role is primarily to support and facilitate the efforts of national law enforcement agencies within the EU.

“Law enforcement used a platform, known as the Malware Information Sharing Platform, to allow the private sector to share real-time threat intelligence with law enforcement. Over the span of the whole investigation, over 730 pieces of threat intelligence were shared containing almost 1.2 million indicators of compromise,” Europol said. Additionally, the agency stated, “The disruption does not end here. Law enforcement will continue to monitor and carry out similar actions as long as criminals keep abusing older versions of the tool.”