Cyber AttacksResponse of the Criminal Law

Margus Kurm

State Prosecutor

Office of the Prosecutor General of Estonia

Prologue• 8th of May 1945 World War II ended

• A statue (called Bronze Soldier) in downtown of Tallinn had become a continual source of conflict

• In 26.04.2007 the Government started preparatory works to relocate the statue to the military graveyard

• In the evening Russian speaking people started to come to the scene to protect the statue

• This and the following nights Tallinn (and also some cities in North-East) was carried away by riots (ca 1000 were arrested and one killed)

• 27.04.2007 Estonia fell under a politically motivated offensive cyber campaign

Cyber Attacks – Who and Why?

• Phase 1 – H-Activism

– In 27-29 April most of the attacks were carried out by people of varying IT skills who wanted to protest against the government.

– Their methods were mostly primitive and they were often not aware of the potential consequences of their actions.

– Most of them were calmed down before Phase 2 started.

• Phase 2 – E-Terrorism

– Between 30.04 and 18.05 Estonia faced attacks that require at least cracker level skills and recourses.

– They used more sophisticated methods and chose their targets carefully.

– They were not only protestants, but someone who really wanted to disturb the every day life of Estonian people and government.

Cyber Attacks – How?

• Defacement of web-pages (government, prime minister, political parties, etc)

• Saturating the serves by varying primitive methods, such as pinging

• Professional DDoS Attacks where BOTnets and standard tools were used

• Necessary information (hacking instructions as well as the addresses of the “right” websites) were provided and discussed in different (mostly Russian) forums

Identification of Perpetrators • It was a massive work of data collection and analyses which was

done in cooperation with different public and private institutions as well as foreign partners in Europe and USA

• The followings were the main steps:– Logs taken from hackers’ forums were compared with logs we got from

servers attacked – Matching IP-s were separated into two categories - domestic and

foreign – Next step was to find out if the domestic IP belongs to a compromised

computer or a possible attacker – When we got enough ground to believe that the IP is used by an

attacker we started with traditional investigation methods, such as wire-tapping, search etc

– Some compromised computers were copied and their communication were monitored in order to reach to the BOTnets

– Some very active IP-s were sent to Russian authorities in the form of MLA and with the request to find out the owners or users

Results

• One prosecution and conviction

• Tens of suspected persons whose guilt was not proven

• Hundreds of suspicious IP-addresses (mostly Russian) which we can do nothing with, because Russia refused to co-operate

• At least one BOTnet was discovered and closed down

Problems

• Attackers had no personal motivation, thus we had no other way to move on, but IT-tracks (logs)

• Most of the manpower were used for defence and prevention and not for collecting and fixing evidence in a way it should be done for trial in criminal court

• It is very difficult to discover professional hacker using only IT-tracks and having no intelligence

• Tracks leaded us to Russia which refused to co-operate

• There is a limit in how much aid (read: resources spent) you can ask from your friends in abroad

Lessons Learnt

• Effective co-operation between private and public sector is possible. Sort of informal “defence-network” may even work better than hierarchic institutions, but co-ordination and some management is still needed to avoid doubling and assure fast exchange of information.

• Defence and prevention should be the priority, both during the action as well as in the peace time.

• State will never have that much resources to defend everybody. Thus, companies depending on Internet and internal networks must pay attention to security.

• Fast international cooperation is very important.

Lessons Learnt - Remark

• Criminal law as a measure should not be overestimated in case of that kind of massive attacks, because:

– It is too slow and resource consuming, international co-operation especially

– It has not enough preventive effect, because big bugs can never be identified and they know it

– It has public nature and that is why private companies (especially financial institutions) are not interested in being victims of cyber crime