A successful cyberattack requires more than just gaining entry into a victim’s network. To truly reap the rewards, attackers must maintain a persistent presence within the system. After establishing communication with other compromised network devices, actors can stealthily extract valuable data. The key to all this is a well-developed Command and Control (C2 or C&C) infrastructure.

The number of C2 servers used for launching cyberattacks increased by 30% in 2022. More than 17,000 of these servers were detected last year, up from 13,629 in 2021.

The concept of centralized control over compromised systems has existed since the early days of computer viruses. One of the earliest documented instances of C2 infrastructure in a cyberattack was the Morris worm, which a hijacked computer at MIT unleashed in 1988. It then proceeded to wreak havoc on huge swaths of the internet. The impact of the Morris worm was a wake-up call for the need to improve the security of computer systems and networks.

History of the Morris Worm

The Morris worm was one of the first computer worms to capture the attention of the public and media. As an experimental prank, a graduate student at Cornell named Robert Tappan Morris launched the worm on November 2, 1988. Unfortunately, it spread like wildfire through vulnerabilities in UNIX operating systems.

The Morris worm infected systems at a number of the prestigious colleges and public and private research centers that made up the early national electronic network. This was a year before the invention of the World Wide Web. Among the many victims were Harvard, Princeton, Berkeley, Stanford, Johns Hopkins, NASA and the Lawrence Livermore National Laboratory. Some estimated the overall damage to be up to $10 million.

Experts consider the Morris worm to be one of the first C2 attacks. This is because it had the capability to remotely control infected systems and use them to spread the worm to other systems. The worm was designed to spread rapidly, infect as many systems as possible and maintain persistence in those systems.

The Morris worm was one of the first self-replicating computer worms. It used a decentralized approach to spread but relied on a centralized mechanism to communicate with infected systems. Since then, the use of C2 infrastructure in cyberattacks has become even more sophisticated.

From Morris to Modern-Day C2

The C2 aspect of the Morris worm is a key factor that distinguished it from earlier computer viruses and worms. Previously, attackers primarily designed computer viruses to spread and cause disruption. The Morris worm demonstrated the potential for attackers to use worms as a means of establishing a persistent presence within a target network. This characteristic has since become a hallmark of Advanced Persistent Threat (APT) attacks.

There have been numerous well-known incidents that have utilized C2 infrastructure. Some of them have been the most damaging cyber events ever. Here are a few examples:

  1. Stuxnet was a highly sophisticated cyberattack discovered in 2010 that targeted the Iranian nuclear program. It was one of the earliest instances of malware using C2 infrastructure to infect and control target systems.
  2. WannaCry was a highly virulent ransomware attack that affected over 200,000 computers in 150 countries in 2017. The virus spread by using a vulnerability in the Microsoft Windows operating system. This allowed it to infect unpatched systems and then spread from one system to another within a network.
  3. NotPetya was a destructive malware attack that impacted organizations worldwide in 2017. It initially spread through a software supply chain attack, infecting a Ukrainian accounting software called MEDoc with the malware. Then it spread to users who installed the software. After that, the malware spread rapidly across computer networks, causing widespread damage and disruption.
  4. Operation Aurora was a highly sophisticated cyber espionage campaign that targeted companies in the technology, defense and financial sectors, among others. The attackers used C2 infrastructure to remotely control and exfiltrate sensitive data from targeted organizations.

These are just a few examples of well-known C2-based attacks. There have been many others, and new attacks utilizing C2 infrastructure are still discovered regularly.

What C2 isn’t

Not all cyberattacks utilize C2 infrastructure, and sometimes the differences can be confusing. Some examples of attacks that typically do not use C2 infrastructure include:

  1. Phishing Attacks that use email to deliver malware or trick victims into giving away sensitive information may not utilize C2 infrastructure. However, phishing may be the initial way C2 attacks gain a foothold in a network.
  2. Drive-By Downloads are a type of attack where malware infects a victim’s device when they visit a compromised website. This type of attack does not typically utilize C2 infrastructure.
  3. Exploits take advantage of vulnerabilities in software or systems to execute arbitrary code. Unlike C2-based attacks, exploits do not typically involve centralized control over compromised systems.
  4. Rogue software or applications, such as spyware or adware, can be installed on a victim’s device without the victim’s knowledge or consent. This type of attack does not typically utilize C2 infrastructure.

How to Defend Against C2 Attack

Security pros have developed various techniques and technologies to detect and disrupt C2 infrastructure. A multi-layered approach is the best defense, and some effective solutions against C2-related attacks include:

  1. Network Segmentation: Segregating networks into smaller, isolated segments can limit the spread of an attack and reduce the attack surface.
  2. Endpoint Security: Securing endpoints such as computers and mobile devices with anti-virus software, firewalls and intrusion detection systems can prevent attackers from compromising devices and using them to control the network.
  3. Network Monitoring: Monitoring network traffic for unusual or suspicious activity can help detect and prevent attacks that utilize C2 infrastructure.
  4. Threat Intelligence: Utilizing threat intelligence from various sources can provide organizations with information about known C2-based attacks.
  5. Proactive Patching: Keeping software and systems up-to-date with the latest security patches can help prevent exploits and limit the effectiveness of C2-based attacks.
  6. User Education: Educating users about the dangers of phishing, social engineering and other types of cyberattacks can help prevent the initial compromise that can lead to the use of C2 infrastructure.
  7. Incident Response Planning: Having an incident response plan in place can help organizations respond quickly and effectively to a cyberattack. This reduces the impact of the attack and minimizes the use of C2 infrastructure.

C2 incidents have a long history, and APT groups and other threat actors continue to use them. Now is the time to take command and control over security that thwarts C2-based attacks.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Incident Response

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read

The Important Role of SOAR in Cybersecurity

4 min read - Understaffed security teams need all the help they can get, and they are finding that help through SOAR. SOAR — security orchestration, automation and response — is defined by Gartner as the “technologies that enable organizations to collect inputs monitored by the security operations team.” Gartner identifies a SOAR platform’s three prime functionalities: Threat and vulnerability management, security operations automation and incident response. The number of threats coming across the network and endpoints each day overwhelms most organizations. Adding SOAR…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

7 min read