Menu
Siblings arrested in Italy's worst cyberespionage operation ever

Siblings arrested in Italy's worst cyberespionage operation ever

Brother-and-sister team allegedly attacked at least 18,000 high-profile government and corporate PCs, using the Pyramid Eye malware and an international network of servers

The Tuesday arrest of Giulio Occhionero and his sister, Francesca Maria, has brought to light what appears to be the biggest, and highest-profile, hacking of institutional and corporate accounts ever reported in Italy.

The siblings have been planting the Pyramid Eye remote access Trojan on computers using a spear-phishing technique over the course of years, according to the arrest order.

They attacked no fewer than 18,000 high-profile targets including former Prime Ministers Matteo Renzi and Mario Monti, President of European Central Bank Mario Draghi, as well as employees and heads of various ministries including Internal Affairs, Treasury, Finance, and Education.

Also attacked were members of the Parliament and the Bank of Italy, Vatican Cardinal Gianfranco Ravasi and several members of the Freemasons, an organization where Giulio Occhionero belonged as grand master in a Roman chapter. At least 1,700 of the attacks appear to have been successful.

Police investigations netted email passwords, 1,137 credentials for compromised PCs and a trove of 87GB of data spread across a network of several command-and-control and backup servers and computers in Italy and the U.S.

The Italian Postal Police obtained assistance from the FBI in seizing and monitoring the U.S. portion of the server infrastructure. Giulio Occhionero has a master's degree in nuclear engineering, is a founder of the Malta-based quantitative financial analysis firm Westlands Securities, and is also a software developer with several certifications. He allegedly modified and developed new features for the Pyramid Eye malware and maintained the network of servers and mailboxes used to collect exfiltrated data.

An ongoing analysis of the Pyramid Eye malware, connected domain names, IP addresses, and mailboxes used in the scheme has been published, in English, by Trend Micro Senior Threat Researcher Federico Maggi. A company blog post has details on the malware's code.

Elements in the code, such as the MailBee.NET.dll library license key that Occhionero acquired in his own name from the U.S.-based software developer Afterlogic, as well as C&C server IP addresses shared by websites publicly connected to him, allowed Italian police to identify and put him under close surveillance last August.

During the surveillance, Occhionero was probably informed about the ongoing investigation and started deleting data on his servers. The activity, however, was closely observed by police, probably using a state-controlled Trojan: The arrest order lists screenshots and WhatsApp chats as sources, and this type of evidence cannot be obtained with simple communications eavesdropping, noted computer forensics expert Matteo Flora, in a Vlog.

The combination of an industrial-scale surveillance network operating across international borders for years, along with amateurish blunders -- like the use of a personally licensed Dll to develop malware and shared IPs for both legitimate and criminal activities -- is one of the most puzzling aspects of the case. Other questions have arisen as well: How could the two suspects, with possibly limited hacking skills, carry on a massive espionage operation on high-profile government targets without being detected for at least four years?

The real purpose and potential accomplices or mastermind of the criminal activity are still unknown. Judge Maria Paola Tommaselli, who charged the two siblings for felonies such as abusive intrusion in computer systems, abusive eavesdropping, and procurement of information regarding national security, is implying other people may be involved.

Four of the email addresses used for data exfiltration were linked to a criminal case in 2011, in which a covert and potentially subversive organization was creating dossiers on politicians and managers. Giulio and Francesca Maria Occhionero also are members of the board in a construction company linked to an investigation of organized crime activities in Rome.

Judging by the targets, mostly in financial and Freemason environments, the two probably wanted to use the obtained information to gain insider information for Westland Securities' business and raise Giulio Occhionero's profile in the Freemasons. Giulio and Francesca Maria Occhionero's lawyers denied any wrongdoing, asserting that the server network was only used for business purposes.

Andrea Grassi is the editor of Computerworld Italy. You can follow him on Twitter (@andreagrassi) or connect via LinkedIn.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags hacking

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Show Comments