A successful cyberattack requires more than just gaining entry into a victim’s network. To truly reap the rewards, attackers must maintain a persistent presence within the system. After establishing communication with other compromised network devices, actors can stealthily extract valuable data. The key to all this is a well-developed Command and Control (C2 or C&C) infrastructure.

The number of C2 servers used for launching cyberattacks increased by 30% in 2022. More than 17,000 of these servers were detected last year, up from 13,629 in 2021.

The concept of centralized control over compromised systems has existed since the early days of computer viruses. One of the earliest documented instances of C2 infrastructure in a cyberattack was the Morris worm, which a hijacked computer at MIT unleashed in 1988. It then proceeded to wreak havoc on huge swaths of the internet. The impact of the Morris worm was a wake-up call for the need to improve the security of computer systems and networks.

History of the Morris Worm

The Morris worm was one of the first computer worms to capture the attention of the public and media. As an experimental prank, a graduate student at Cornell named Robert Tappan Morris launched the worm on November 2, 1988. Unfortunately, it spread like wildfire through vulnerabilities in UNIX operating systems.

The Morris worm infected systems at a number of the prestigious colleges and public and private research centers that made up the early national electronic network. This was a year before the invention of the World Wide Web. Among the many victims were Harvard, Princeton, Berkeley, Stanford, Johns Hopkins, NASA and the Lawrence Livermore National Laboratory. Some estimated the overall damage to be up to $10 million.

Experts consider the Morris worm to be one of the first C2 attacks. This is because it had the capability to remotely control infected systems and use them to spread the worm to other systems. The worm was designed to spread rapidly, infect as many systems as possible and maintain persistence in those systems.

The Morris worm was one of the first self-replicating computer worms. It used a decentralized approach to spread but relied on a centralized mechanism to communicate with infected systems. Since then, the use of C2 infrastructure in cyberattacks has become even more sophisticated.

From Morris to modern-day C2

The C2 aspect of the Morris worm is a key factor that distinguished it from earlier computer viruses and worms. Previously, attackers primarily designed computer viruses to spread and cause disruption. The Morris worm demonstrated the potential for attackers to use worms as a means of establishing a persistent presence within a target network. This characteristic has since become a hallmark of Advanced Persistent Threat (APT) attacks.

There have been numerous well-known incidents that have utilized C2 infrastructure. Some of them have been the most damaging cyber events ever. Here are a few examples:

  1. Stuxnet was a highly sophisticated cyberattack discovered in 2010 that targeted the Iranian nuclear program. It was one of the earliest instances of malware using C2 infrastructure to infect and control target systems.
  2. WannaCry was a highly virulent ransomware attack that affected over 200,000 computers in 150 countries in 2017. The virus spread by using a vulnerability in the Microsoft Windows operating system. This allowed it to infect unpatched systems and then spread from one system to another within a network.
  3. NotPetya was a destructive malware attack that impacted organizations worldwide in 2017. It initially spread through a software supply chain attack, infecting a Ukrainian accounting software called MEDoc with the malware. Then it spread to users who installed the software. After that, the malware spread rapidly across computer networks, causing widespread damage and disruption.
  4. Operation Aurora was a highly sophisticated cyber espionage campaign that targeted companies in the technology, defense and financial sectors, among others. The attackers used C2 infrastructure to remotely control and exfiltrate sensitive data from targeted organizations.

These are just a few examples of well-known C2-based attacks. There have been many others, and new attacks utilizing C2 infrastructure are still discovered regularly.

What C2 isn’t

Not all cyberattacks utilize C2 infrastructure, and sometimes the differences can be confusing. Some examples of attacks that typically do not use C2 infrastructure include:

  1. Phishing attacks that use email to deliver malware or trick victims into giving away sensitive information may not utilize C2 infrastructure. However, phishing may be the initial way C2 attacks gain a foothold in a network.
  2. Drive-by downloads are a type of attack where malware infects a victim’s device when they visit a compromised website. This type of attack does not typically utilize C2 infrastructure.
  3. Exploits take advantage of vulnerabilities in software or systems to execute arbitrary code. Unlike C2-based attacks, exploits do not typically involve centralized control over compromised systems.
  4. Rogue software or applications, such as spyware or adware, can be installed on a victim’s device without the victim’s knowledge or consent. This type of attack does not typically utilize C2 infrastructure.

How to defend against C2 attack

Security pros have developed various techniques and technologies to detect and disrupt C2 infrastructure. A multi-layered approach is the best defense, and some effective solutions against C2-related attacks include:

  1. Network segmentation: Segregating networks into smaller, isolated segments can limit the spread of an attack and reduce the attack surface.
  2. Endpoint security: Securing endpoints such as computers and mobile devices with anti-virus software, firewalls and intrusion detection systems can prevent attackers from compromising devices and using them to control the network.
  3. Network monitoring: Monitoring network traffic for unusual or suspicious activity can help detect and prevent attacks that utilize C2 infrastructure.
  4. Threat intelligence: Utilizing threat intelligence from various sources can provide organizations with information about known C2-based attacks.
  5. Proactive patching: Keeping software and systems up-to-date with the latest security patches can help prevent exploits and limit the effectiveness of C2-based attacks.
  6. User education: Educating users about the dangers of phishing, social engineering and other types of cyberattacks can help prevent the initial compromise that can lead to the use of C2 infrastructure.
  7. Incident response planning: Having an incident response plan in place can help organizations respond quickly and effectively to a cyberattack. This reduces the impact of the attack and minimizes the use of C2 infrastructure.

C2 incidents have a long history, and APT groups and other threat actors continue to use them. Now is the time to take command and control over security that thwarts C2-based attacks.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Incident Response

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today