The number of malicious hacker attacks has increased dramatically over the last three years. One of the most damaging types of attacks, often executed over DNS, is accomplished through command and control, also called C2 or C&C callbacks.

Let's have a look at how hackers use this technique to infect their victims.

What is a C2 server?

A command-and-control server is a computer that is controlled by a cybercriminal. Command-and-control servers are used by attackers to maintain communications and send commands to systems inside a target network compromised by malware. These systems can include computers, smartphones, and even IoT devices connected to the network.

How are C2 servers used?

C2 servers act as command centres from where malware receives its commands. They are also used to collect and store stolen data. Establishing C2 communications is a vital step for attackers to access network resources. 

The attacker starts by infecting a computer, which may sit behind a firewall. This can be achieved in several ways:

• Via a phishing email that tricks an unsuspected employee into clicking a link to a malicious website or opening an attachment that executes malicious code.
• Through security holes in browser plugins.
• By downloading malicious apps.
• With malicious code brought in on external devices, e.g. USB sticks.
• Via other infected software.

Once a machine is compromised, the hacker will ping the infected computer or device for a callback to test the new connection. The infected computer will then carry out the commands from the attacker's C2 server and may install additional software.

The attacker now has complete control of the victim's computer and can execute any code. The malicious code will typically spread to more computers, creating a botnet – a network of infected machines. In this way, an attacker who is not authorised to access a company's network can obtain full control of that network.

What can hackers accomplish through command and control?

C2 attacks pose real dangers to shipping companies, with potentially severe operational, financial and reputational risks. Typically, attackers want to achieve the following:

1. Data exfiltration. Sensitive data, such as credentials, operational documents, financial data, employee records and other sensitive information, can be copied or transferred to an attacker's server.
2. Shutdown. An attacker can shut down one or several machines, or even bring down a company's network, ultimately bringing normal operations to a halt.
3. Distributed denial of service. DDoS attacks disrupt or shut down web servers as well as entire networks. DDoS attacks overwhelm servers or networks by flooding them with internet traffic. Once a botnet is established, an attacker can instruct each bot to send a request to the targeted IP address, creating a jam of requests for the targeted server. Legitimate traffic to the attacked IP address is denied.
   
   

Editor's note: This article was originally published in October 2019 and has been revised and updated for accuracy and comprehensiveness.