Microsoft and cybersecurity firm Fortra go after top hacking tool
- Sam Sabin, author of Axios Codebook

Illustration: Annelise Capossela/Axios
A group of cybersecurity companies, including Microsoft, are launching a full-scale legal crackdown today against one of the top hacking tools malware groups use in their attacks.
Driving the news: Microsoft, cybersecurity firm Fortra and the Health Information Sharing and Analysis Center (H-ISAC) unveiled a wide-reaching legal plan to tackle malicious versions of Fortra's Cobalt Strike and Microsoft's software development kits.
Why it matters: Cobalt Strike is a widely-used penetration testing tool that allows organizations to test their security defenses before an attack. However, malicious hackers have relied on a manipulated version of the tool for years to launch devastating ransomware attacks and other incidents.
- The Department of Health and Human Services warned healthcare organizations in November 2021 that both state-backed hacking and cybercriminal groups have been relying on the tool in their attacks.
- That same year, the now-defunct Conti ransomware gang also attempted to used Cobalt Strike to deploy malware against Ireland's publicly funded healthcare system.
Details: On Friday, the U.S. District Court for the Eastern District of New York awarded a court order to the organizations allowing them to seize domain names where malicious actors have been storing and sharing malicious versions of Cobalt Strike.
- The court order allows Microsoft, Fortra and the H-ISAC to automatically notify and takedown IP addresses in the United States that are hosting manipulated versions of these tools. Those takedowns will start today, and the court order allows for future takedowns as criminals develop new infrastructure.
- Microsoft will also notify hosting providers in Latin America and the European Union on Thursday about domain names that are believed to be hosting tainted versions of Cobalt Strike.
- Microsoft and Fortra also received a temporary restraining order against those violating the copyright of their programs to make it easier for them to seize and shutdown malicious versions of the software.
The big picture: It's rare for private companies to turn to the court system on their own to target malicious hackers' tools and tactics.
- While Microsoft has turned to a court order to take down specific groups before, today's actions are the company's first at targeting specific tools that a wide-range of actors use.
What they're saying: "This is something that we jokingly call an advanced persistent disruption; it is not going to be done on Thursday," Amy Hogan-Burney, general manager and associate general counsel for cybersecurity policy and protection at Microsoft, told Axios.
Yes, but: Cybercriminals are often adaptive and have been quick to re-build their systems after similar law enforcement crackdowns.
The intrigue: Microsoft has already started investigating tools that they believe malicious actors could turn to next after all of the attention paid to Cobalt Strike, Hogan-Burney said.
Sign up for Axios’ cybersecurity newsletter Codebook here