Cyber AttacksResponse of the Criminal Law
Margus Kurm
State Prosecutor
Office of the Prosecutor General of Estonia
Prologue• 8th of May 1945 World War II ended
• A statue (called Bronze Soldier) in downtown of Tallinn had become a continual source of conflict
• In 26.04.2007 the Government started preparatory works to relocate the statue to the military graveyard
• In the evening Russian speaking people started to come to the scene to protect the statue
• This and the following nights Tallinn (and also some cities in North-East) was carried away by riots (ca 1000 were arrested and one killed)
• 27.04.2007 Estonia fell under a politically motivated offensive cyber campaign
Cyber Attacks – Who and Why?
• Phase 1 – H-Activism
– In 27-29 April most of the attacks were carried out by people of varying IT skills who wanted to protest against the government.
– Their methods were mostly primitive and they were often not aware of the potential consequences of their actions.
– Most of them were calmed down before Phase 2 started.
• Phase 2 – E-Terrorism
– Between 30.04 and 18.05 Estonia faced attacks that require at least cracker level skills and recourses.
– They used more sophisticated methods and chose their targets carefully.
– They were not only protestants, but someone who really wanted to disturb the every day life of Estonian people and government.
Cyber Attacks – How?
• Defacement of web-pages (government, prime minister, political parties, etc)
• Saturating the serves by varying primitive methods, such as pinging
• Professional DDoS Attacks where BOTnets and standard tools were used
• Necessary information (hacking instructions as well as the addresses of the “right” websites) were provided and discussed in different (mostly Russian) forums
Identification of Perpetrators • It was a massive work of data collection and analyses which was
done in cooperation with different public and private institutions as well as foreign partners in Europe and USA
• The followings were the main steps:– Logs taken from hackers’ forums were compared with logs we got from
servers attacked – Matching IP-s were separated into two categories - domestic and
foreign – Next step was to find out if the domestic IP belongs to a compromised
computer or a possible attacker – When we got enough ground to believe that the IP is used by an
attacker we started with traditional investigation methods, such as wire-tapping, search etc
– Some compromised computers were copied and their communication were monitored in order to reach to the BOTnets
– Some very active IP-s were sent to Russian authorities in the form of MLA and with the request to find out the owners or users
Results
• One prosecution and conviction
• Tens of suspected persons whose guilt was not proven
• Hundreds of suspicious IP-addresses (mostly Russian) which we can do nothing with, because Russia refused to co-operate
• At least one BOTnet was discovered and closed down
Problems
• Attackers had no personal motivation, thus we had no other way to move on, but IT-tracks (logs)
• Most of the manpower were used for defence and prevention and not for collecting and fixing evidence in a way it should be done for trial in criminal court
• It is very difficult to discover professional hacker using only IT-tracks and having no intelligence
• Tracks leaded us to Russia which refused to co-operate
• There is a limit in how much aid (read: resources spent) you can ask from your friends in abroad
Lessons Learnt
• Effective co-operation between private and public sector is possible. Sort of informal “defence-network” may even work better than hierarchic institutions, but co-ordination and some management is still needed to avoid doubling and assure fast exchange of information.
• Defence and prevention should be the priority, both during the action as well as in the peace time.
• State will never have that much resources to defend everybody. Thus, companies depending on Internet and internal networks must pay attention to security.
• Fast international cooperation is very important.
Lessons Learnt - Remark
• Criminal law as a measure should not be overestimated in case of that kind of massive attacks, because:
– It is too slow and resource consuming, international co-operation especially
– It has not enough preventive effect, because big bugs can never be identified and they know it
– It has public nature and that is why private companies (especially financial institutions) are not interested in being victims of cyber crime