1 / 9

Cyber Attacks Response of the Criminal Law

This article discusses the response to the cyber attacks during the Bronze Soldier statue controversy in Estonia, the identification of perpetrators, and the challenges faced in prosecution. Lessons learned and the limitations of criminal law in dealing with such attacks are also highlighted.

sbaker
Télécharger la présentation

Cyber Attacks Response of the Criminal Law

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber AttacksResponse of the Criminal Law Margus Kurm State Prosecutor Office of the Prosecutor General of Estonia

  2. Prologue • 8th of May 1945 World War II ended • A statue (called Bronze Soldier) in downtown of Tallinn had become a continual source of conflict • In 26.04.2007 the Government started preparatory works to relocate the statue to the military graveyard • In the evening Russian speaking people started to come to the scene to protect the statue • This and the following nights Tallinn (and also some cities in North-East) was carried away by riots (ca 1000 were arrested and one killed) • 27.04.2007 Estonia fell under a politically motivated offensive cyber campaign

  3. Cyber Attacks – Who and Why? • Phase 1 – H-Activism • In 27-29 April most of the attacks were carried out by people of varying IT skills who wanted to protest against the government. • Their methods were mostly primitive and they were often not aware of the potential consequences of their actions. • Most of them were calmed down before Phase 2 started. • Phase 2 – E-Terrorism • Between 30.04 and 18.05 Estonia faced attacks that require at least cracker level skills and recourses. • They used more sophisticated methods and chose their targets carefully. • They were not only protestants, but someonewho really wanted to disturb the every day life of Estonian people and government.

  4. Cyber Attacks – How? • Defacement of web-pages (government, prime minister, political parties, etc) • Saturating the serves by varying primitive methods, such as pinging • Professional DDoS Attacks where BOTnets and standard tools were used • Necessary information (hacking instructions as well as the addresses of the “right” websites) were provided and discussed in different (mostly Russian) forums

  5. Identification of Perpetrators • It was a massive work of data collection and analyses which was done in cooperation with different public and private institutions as well as foreign partners in Europe and USA • The followings were the main steps: • Logs taken from hackers’ forums were compared with logs we got from servers attacked • Matching IP-s were separated into two categories - domestic and foreign • Next step was to find out if the domestic IP belongs to a compromised computer or a possible attacker • When we got enough ground to believe that the IP is used by an attacker we started with traditional investigation methods, such as wire-tapping, search etc • Some compromised computers were copied and their communication were monitored in order to reach to the BOTnets • Some very active IP-s were sent to Russian authorities in the form of MLA and with the request to find out the owners or users

  6. Results • One prosecution and conviction • Tens of suspected persons whose guilt was not proven • Hundreds of suspicious IP-addresses (mostly Russian) which we can do nothing with, because Russia refused to co-operate • At least one BOTnet was discovered and closed down

  7. Problems • Attackers had no personal motivation, thus we had no other way to move on, but IT-tracks (logs) • Most of the manpower were used for defence and prevention and not for collecting and fixing evidence in a way it should be done for trial in criminal court • It is very difficult to discover professional hacker using only IT-tracks and having no intelligence • Tracks leaded us to Russia which refused to co-operate • There is a limit in how much aid (read: resources spent) you can ask from your friends in abroad

  8. Lessons Learnt • Effective co-operation between private and public sector ispossible. Sort of informal “defence-network” may even work better than hierarchic institutions, but co-ordination and some management is still needed to avoid doubling and assure fast exchange of information. • Defence and prevention should be the priority, both during the action as well as in the peace time. • State will never have that much resources to defend everybody. Thus, companies depending on Internet and internal networks must pay attention to security. • Fast international cooperation is very important.

  9. Lessons Learnt - Remark • Criminal law as a measure should not be overestimated in case of that kind of massive attacks, because: • It is too slow and resource consuming, international co-operation especially • It has not enough preventive effect, because big bugs can never be identified and they know it • It has public nature and that is why private companies (especially financial institutions) are not interested in being victims of cyber crime

More Related