Three people in the DCU building.

Inside the fight against hackers who disrupted hospitals and jeopardized lives

After tricking an employee with a phishing email and a poisoned spreadsheet, hackers used the employee’s infected computer to break into Ireland’s public health system and tunnel through the network for weeks. They prowled from hospital to hospital, browsed folders, opened private files and spread the infection to thousands of other computers and servers.

By the time they made their ransom demand, they had hijacked more than 80% of the IT system, forcing the organization of over 100,000 people offline and jeopardizing the lives of thousands of patients.

The attackers unleashed the 2021 assault on Ireland’s Health Service Executive (HSE) with help from a “cracked,” or abused and unauthorized, legacy version of a powerful tool. Used by legitimate security professionals to simulate cyberattacks in defense testing, the tool has also become a favorite instrument of criminals who steal and manipulate older versions to launch ransomware attacks around the world. In the last two years, hackers have used cracked copies of the tool, Cobalt Strike, to try and infect roughly 1.5 million devices.

But Microsoft and Fortra, the tool’s owner, are now armed with a court order authorizing them to seize and block infrastructure linked to cracked versions of the software. The order also allows Microsoft to disrupt infrastructure associated with abuse of its software code, which criminals have used to disable antivirus systems in some of the attacks. Since the order was executed in April, the number of infected IP addresses has since plummeted.

“The message we want to send in cases like these is: ‘If you think you’re going to get away with weaponizing our products, you’re in for a rude awakening,’” says Richard Boscovich, assistant general counsel for Microsoft’s Digital Crimes Unit (DCU) and head of the unit’s Malware Analysis & Disruption team.

Profile picture of Jason Lyons.
Jason Lyons (photo courtesy of Lyons)

The effort to knock cracked Cobalt Strike offline began in 2021 when DCU — an eclectic, global group of cybercrime fighters — wanted to make a bigger dent on the rise in ransomware attacks. Previous operations had targeted individual botnets like Trickbot and Necurs separately, but ransomware investigator Jason Lyons proposed a major operation targeting many malware groups and focused on what they had in common: their use of cracked, legacy Cobalt Strike.

“We kept seeing cracked Cobalt Strike as the tool in the middle being leveraged in ransomware attacks,” says Lyons, who based his assessments on internal intelligence of attacks on Windows customers.

A former counterintelligence special agent with the U.S. Army, Lyons had spent many nights and weekends responding to ransomware events and breaches. The chance to go after many criminals at once was a way to “bring a little pain to the bad guys and interrupt their nights and weekends, too,” he says.

But before Microsoft could start inflicting pain, it needed to clean its own house first and rid Azure of cracked Cobalt Strike. Rodel Finones, a reverse engineer who deconstructs and analyzes malware, quickly went to work. He had moved to DCU from the Microsoft Defender Antivirus team a few years ago to take a more proactive role in fighting crime.

Finones built a crawler that connected to every active, public-facing Cobalt Strike command-and-control server on Azure — and later, the internet. The servers communicate with infected devices and allow operators to spy on a network, move laterally and encrypt files. He also began investigating how ransomware operators were abusing Microsoft’s software in their attacks.

Profile picture of Rodel Finones
Rodel Finones (photo courtesy of Finones)

But crawling wasn’t enough. Investigators faced a challenge in how to distinguish between valid security uses of Cobalt Strike and illicit uses by threat actors. Fortra issues a unique license number, or watermark, for every Cobalt Strike kit it sells, which provides a forensic clue in cracked copies. But the company wasn’t part of the initial operation, and DCU investigators worked alone to build an internal catalog of watermarks linked to customer attacks as they cleaned up Azure.

Meanwhile, Fortra, which had acquired Cobalt Strike in 2020, was also working on the problem of criminals using cracked copies. When Microsoft proposed a joint operation, the company needed time to make sure partnering with Microsoft was the right move, says Bob Erdman, associate vice president for Research & Development at Fortra.

At one point, Microsoft tried to buy a copy of Cobalt Strike to help investigators understand the tool. Fortra said no.

“It’s an interesting and funny story now, but we didn’t know if Fortra was going to partner with us,” says Lyons.

“We don’t just sell to anybody who wants it,” Erdman said in response.

Fortra joined the action in early 2023 and provided a list of more than 200 “illegitimate” watermarks linked to 3,500 unauthorized Cobalt Strike servers. The company had been doing its own investigations and adding new security controls, but partnering with Microsoft provided access to scale, additional expertise and another way to protect its tool and the internet. Over the course of the investigation, Fortra and Microsoft analyzed approximately 50,000 unique copies of cracked Cobalt Strike.

“It really was a very good match for the two of us,” says Erdman. “It’s a great way to partner where everybody’s stronger working together.”

The partnership was also a win for Microsoft, with Fortra’s insight and watermark list greatly expanding the operation’s reach. It helped the companies with their lawsuit linking malicious infrastructure to 16 unnamed defendants, each one a distinct threat group.

Lawyers argued that the groups — ransomware developers, extortionists, victim lurers, cracked Cobalt Strike sellers — worked together in a bustling, lucrative ransomware-as-a-service enterprise designed to maximize profit and harm. They also linked cracked Cobalt Strike to eight ransomware families, ranging from LockBit, a fast encryption and denial-of-service attacker, to Conti, the malware suspected in the devastating 2022 attacks on the Costa Rican government.

Conti was also suspected in the Ireland attack, whose details come from a post-incident report commissioned by Ireland HSE. HSE’s transparency and willingness to share what it learned is helping other organizations strengthen their defenses against cyberattacks.

Many victims attacked with cracked Cobalt Strike have been health care organizations forced to cancel surgeries, divert ambulances and delay treatment. That trend prompted Health-ISAC, a cyberthreat information-sharing association of 800 health organizations, to join the lawsuit as a co-plaintiff.

“We’re talking about people’s lives being at stake,” says Errol Weiss, Health-ISAC chief security officer.

As the team prepared its legal arguments, DCU attorney Mia Scavella-Little helped investigators write their declarations, using her background as a data scientist to meld technical and legal language. Or, as she puts, it: “Putting ‘geek’ into something that actually makes sense to attorneys or a judge.”

A former counterterrorism analyst for the U.S. government and a pro bono advocate, she enjoyed the purpose-driven nature of the operation.  

“My career, it’s mission-focused, so I like to go in there and protect and save, and that’s what DCU is doing,” she says.

Lawyers argued that Fortra and Microsoft have the right to take down cracked Cobalt Strike infrastructure because the threat groups broke copyright laws and terms of service. When a federal judge agreed and signed an emergency order, malware investigator Christopher Coy was ready to go.

Profile picture of Chris Coy.
Chris Coy (photo courtesy of Coy)

He had spent much of his time building an automated system to notify data centers and hosting providers to take down targeted IP addresses. He worked with registries to seize domains. He carefully checked through criteria for making sure Microsoft was disrupting threat actors and not innocent victims.

“One of our main concerns with all of our operations is we want to take down malicious infrastructure,” Coy says. “We don’t want to take down somebody’s legitimate infrastructure or business that has been compromised by the bad actor. So we go through a pretty rigorous process.”

The impact has been swift and promising, with all malicious .com and .net domains seized within 24 hours of the judge’s order. Microsoft seized and “sinkholed” a total of 153 U.S. domains with victim traffic now going to the company’s computers and away from criminal operators. And it sent notices to third parties to take down more than 1,900 global IP addresses.

The number of cracked Cobalt Strike servers detected per day — nearly a thousand when the operation began — has declined by 25% globally and 50% in the U.S. The number of victim IP addresses infected by malicious servers on seized domains has dropped by roughly two-thirds, according to data from Microsoft’s Cyber Threat Intelligence Program. The work has led to criminal referrals, recovery help for victims, continued monitoring and more legal action.

Already, threat actors are adapting, moving away from the U.S., where third parties are quick to respond to copyright infringement notices, and relocating servers in China and Russia.

“We know this is going to be an ongoing fight, as criminals are always shifting their tactics,” says Amy Hogan-Burney, who leads DCU. “But we’re persistent and committed to doing this as long as it takes.”

The goal is for attacks to drop as criminals find it harder to make money with less access to efficient tools like Cobalt Strike and Microsoft APIs.

“Cybercriminals are, in a very rudimentary perspective, businesspeople too,” Boscovich says. “They’re saying, ‘It’s not worth setting anything up here because within two to three days, it’s taken down.’”

A former federal prosecutor, Boscovich joined DCU when it started in 2008 and soon developed what would become Microsoft’s overall legal strategy for fighting malware. He’s led 27 malware operations in the last 15 years and is continually refining the company’s strategies. This year for the first time, he leveraged a racketeering law against multiple criminal groups to maximize impact.

For Hogan-Burney, the results are validation of the team’s experience and partnerships. Microsoft is one of few companies with a broad array of experts — attorneys, investigators, engineers, analysts — solely dedicated to cybercrime disruption. Many have military or government backgrounds and perspectives outside the company that help them work with partners, an essential part of the job, she says. And many come from careers built on protecting people, a mission they carry today.

“Every single person inside DCU is incredibly mission-oriented,” says Hogan-Burney, a former FBI attorney and the general manager and associate general counsel for Microsoft Cybersecurity Policy & Protection, which oversees DCU.

“They pride themselves on doing everything they can to protect Microsoft customers and the broader internet ecosystem, and that mission-oriented drive they had beforehand, they bring it here.”

Amy Hogan-Burney standing in room.
Amy Hogan-Burney (photo by Dan DeLong)

That’s certainly true for Coy, a Microsoft engineer for more than 25 years and a longtime U.S. Navy Reserve commander and intelligence officer. Throughout his career, he’s built and shipped many products that helped people, but his role at DCU allowed him to have a bigger impact. Cracked Cobalt Strike was the last project he worked on before retiring this month.

“The work we do at DCU is having a significant impact on the security and safety of the internet as a whole,” Coy says. “We’re not just cleaning it up for Azure. We’re trying to clean it up for the planet, and that’s super rewarding and fulfilling when you’re able to do that as your day job.”

Top photo: Mia Scavella-Little (left), Amy Hogan-Burney (center) and Richard Boscovich at the Microsoft Cybercrime Center, which houses DCU, in Redmond, Washington (photo by Dan DeLong)