Core Impact and Cobalt Strike are considered weapons by the US government and the government doesn’t want these tools used against it, or American companies. For this reason, it imposes restrictions on the sale of the products, and in some situations the requirement for an export license.
The US have a list of countries to which nothing can be sold (North Korea, Cuba etc.). They also have a slightly longer list of people that companies must avoided selling to. This is discussed well here: https://en.wikipedia.org/wiki/United_States_sanctions
Product Based Export Controls
The US then have another layer where certain products cannot be sold to particular countries. Selling pots and pans to Russia is fine, selling F16 fighters, less so. They also make this harder by saying that certain technologies cannot be sold to listed companies; so no modern processors to Huawei for example.
How does this affect Core Impact and Cobalt Strike?
The rules are very complex but in summary they work like this:
- Nothing to embargo counties
- Nothing to China or Russia
- Government controlled entities in other countries require approval (an Export License)
- All commercial companies, outside items 1 and 2 above, are looked at by the internal compliance team. Big companies are generally ok, small, 1 person companies are cause for concern.
Is this just Core Impact and Cobalt Strike?
No this is other products like these two too. Metasploit open source, doesn’t require a license (I don’t understand why) but the commercial version from Rapid7 does require a license; they discuss it here: https://www.rapid7.com/export-notice/. The excellent Hak5 products are also heavily restricted and they discuss their situation here: https://shop.hak5.org/pages/compliance
This still impacts you, even if you are not in the affected group
Core have a small internal compliance process that they run through for every order. This is to double check that “Boris Johnson, based in London”, isn’t really Vladimere Putin based in Russia.
To complete this verification they need:
- Company formal name
- Company registered address
- VAT number if based in Europe
- Web site
- End user name
- End user email
They will not accept Gmail, Hotmail or similar email addresses. If is much easier if all the details match, so for example: S4 Applications Limited, with a web site called www.s4applications.uk, and email addresses firstName.lastName@s4applications.uk.
How long will it take?
This is the US government that gets shut down from time to time, which builds a backlog. The quickest I have seen is 2 months, the longest 10 months.
Roughly speaking, the closer a country is to America’s world view, the quicker the license comes back.
Will I get an export license?
Government entities in Europe are ok.
Large companies in Europe are ok.
Small companies, (1 person) in Europe are a bit hit and miss.
Africa and Middle East are based on the country and relationship with America.
Sometime we have had a customer approved but with restrictions placed upon the license. This is typically to restrict the ability to test public IPs to ones that you own plus all non-routable IPs (RFC1918).