A successful cyberattack requires more than just gaining entry into a victim’s network. To truly reap the rewards, attackers must maintain a persistent presence within the system. After establishing communication with other compromised network devices, actors can stealthily extract valuable data. The key to all this is a well-developed Command and Control (C2 or C&C) infrastructure.

The number of C2 servers used for launching cyberattacks increased by 30% in 2022. More than 17,000 of these servers were detected last year, up from 13,629 in 2021.

The concept of centralized control over compromised systems has existed since the early days of computer viruses. One of the earliest documented instances of C2 infrastructure in a cyberattack was the Morris worm, which a hijacked computer at MIT unleashed in 1988. It then proceeded to wreak havoc on huge swaths of the internet. The impact of the Morris worm was a wake-up call for the need to improve the security of computer systems and networks.

History of the Morris Worm

The Morris worm was one of the first computer worms to capture the attention of the public and media. As an experimental prank, a graduate student at Cornell named Robert Tappan Morris launched the worm on November 2, 1988. Unfortunately, it spread like wildfire through vulnerabilities in UNIX operating systems.

The Morris worm infected systems at a number of the prestigious colleges and public and private research centers that made up the early national electronic network. This was a year before the invention of the World Wide Web. Among the many victims were Harvard, Princeton, Berkeley, Stanford, Johns Hopkins, NASA and the Lawrence Livermore National Laboratory. Some estimated the overall damage to be up to $10 million.

Experts consider the Morris worm to be one of the first C2 attacks. This is because it had the capability to remotely control infected systems and use them to spread the worm to other systems. The worm was designed to spread rapidly, infect as many systems as possible and maintain persistence in those systems.

The Morris worm was one of the first self-replicating computer worms. It used a decentralized approach to spread but relied on a centralized mechanism to communicate with infected systems. Since then, the use of C2 infrastructure in cyberattacks has become even more sophisticated.

From Morris to modern-day C2

The C2 aspect of the Morris worm is a key factor that distinguished it from earlier computer viruses and worms. Previously, attackers primarily designed computer viruses to spread and cause disruption. The Morris worm demonstrated the potential for attackers to use worms as a means of establishing a persistent presence within a target network. This characteristic has since become a hallmark of Advanced Persistent Threat (APT) attacks.

There have been numerous well-known incidents that have utilized C2 infrastructure. Some of them have been the most damaging cyber events ever. Here are a few examples:

  1. Stuxnet was a highly sophisticated cyberattack discovered in 2010 that targeted the Iranian nuclear program. It was one of the earliest instances of malware using C2 infrastructure to infect and control target systems.
  2. WannaCry was a highly virulent ransomware attack that affected over 200,000 computers in 150 countries in 2017. The virus spread by using a vulnerability in the Microsoft Windows operating system. This allowed it to infect unpatched systems and then spread from one system to another within a network.
  3. NotPetya was a destructive malware attack that impacted organizations worldwide in 2017. It initially spread through a software supply chain attack, infecting a Ukrainian accounting software called MEDoc with the malware. Then it spread to users who installed the software. After that, the malware spread rapidly across computer networks, causing widespread damage and disruption.
  4. Operation Aurora was a highly sophisticated cyber espionage campaign that targeted companies in the technology, defense and financial sectors, among others. The attackers used C2 infrastructure to remotely control and exfiltrate sensitive data from targeted organizations.

These are just a few examples of well-known C2-based attacks. There have been many others, and new attacks utilizing C2 infrastructure are still discovered regularly.

What C2 isn’t

Not all cyberattacks utilize C2 infrastructure, and sometimes the differences can be confusing. Some examples of attacks that typically do not use C2 infrastructure include:

  1. Phishing attacks that use email to deliver malware or trick victims into giving away sensitive information may not utilize C2 infrastructure. However, phishing may be the initial way C2 attacks gain a foothold in a network.
  2. Drive-by downloads are a type of attack where malware infects a victim’s device when they visit a compromised website. This type of attack does not typically utilize C2 infrastructure.
  3. Exploits take advantage of vulnerabilities in software or systems to execute arbitrary code. Unlike C2-based attacks, exploits do not typically involve centralized control over compromised systems.
  4. Rogue software or applications, such as spyware or adware, can be installed on a victim’s device without the victim’s knowledge or consent. This type of attack does not typically utilize C2 infrastructure.

How to defend against C2 attack

Security pros have developed various techniques and technologies to detect and disrupt C2 infrastructure. A multi-layered approach is the best defense, and some effective solutions against C2-related attacks include:

  1. Network segmentation: Segregating networks into smaller, isolated segments can limit the spread of an attack and reduce the attack surface.
  2. Endpoint security: Securing endpoints such as computers and mobile devices with anti-virus software, firewalls and intrusion detection systems can prevent attackers from compromising devices and using them to control the network.
  3. Network monitoring: Monitoring network traffic for unusual or suspicious activity can help detect and prevent attacks that utilize C2 infrastructure.
  4. Threat intelligence: Utilizing threat intelligence from various sources can provide organizations with information about known C2-based attacks.
  5. Proactive patching: Keeping software and systems up-to-date with the latest security patches can help prevent exploits and limit the effectiveness of C2-based attacks.
  6. User education: Educating users about the dangers of phishing, social engineering and other types of cyberattacks can help prevent the initial compromise that can lead to the use of C2 infrastructure.
  7. Incident response planning: Having an incident response plan in place can help organizations respond quickly and effectively to a cyberattack. This reduces the impact of the attack and minimizes the use of C2 infrastructure.

C2 incidents have a long history, and APT groups and other threat actors continue to use them. Now is the time to take command and control over security that thwarts C2-based attacks.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Incident Response

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today